Arc Browser had a ‘serious’ security vulnerability last month, now patched
Essentially, Arc still saved custom boosts with JavaScript to their server, which allowed them to sync across devices. Arc also used Firebase as the backend of certain Arc features, and their Firebase setup was misconfigured, allowing users to change the creatorID of a boost after it was created.