The author delves into the exploration of Arc, a browser that requires an account for use, utilizing Firebase for authentication. They uncover features like easels, boosts that allow website customization with JavaScript, and vulnerabilities in the system that allow for malicious attacks. By manipulating boost creator IDs, obtaining user IDs, and creating harmful boosts, the author communicates a serious security flaw in Arc. Despite initial doubts, the company acknowledges the flaw, patches it, and awards the author $2,000. Furthermore, unauthorized data collection raises privacy concerns, contradicting Arc’s privacy policy. This showcases a unique blend of hacking skills, ethical responsibility, and privacy awareness within the tech community.
https://kibty.town/blog/arc/