- Arc Browser
- arc boosts can contain arbitrary javascript
- arc boosts are stored in firestore
- the arc browser gets which boosts to use via the creatorID field
- we can arbitrarily chage the creatorID field to any user id
- $2000 bounty
- possible RCE with xss on privileged pages (chrome://settings)
- arc sends every url you visit to firebase queries