Researcher reveals ‘catastrophic’ security flaw in the Arc browser

Arc has a feature called Boosts that allows you to customize any website with custom CSS and Javascript.

Unfortunately our Firebase ACLs were misconfigured…This allowed any Boost to be assigned to any user (provided you had their userID), and thus activate it for them, leading to custom CSS or JS running on the website the boost was active on.

This kinda stuff is why I stick with Safari and Firefox