This is a heavily interactive web application, and JavaScript is required. Simple HTML interfaces are possible, but that is not what this is.
Post
Frank van Puffelen
puf.bsky.social
did:plc:r5shvvsyaq3kfatc3novwud6
A code injection vulnerability was discovered, plugged and publicized in the Arc browser recently. Since this involved Firestore and its security rules, I dug in a bit to see how it works.
The cause was a misconfigured ACL. I doubt this to be a widespread vuln beyond Arc.
1/🧵
2024-09-27T12:52:48.000Z