A security researcher revealed a “catastrophic” vulnerability in Arc browser, since patched, that would have allowed attackers to insert arbitrary code into other users’ browser sessions with an easily findable user ID.

https://www.theverge.com/2024/9/20/24249919/arc-browser-boost-firebase-vulnerability-patched