Comment by aanet
Fascinating vulnerability, and a fascinating way to catch it. Kudos.
BTW, on Arc's website on "Security" there still is no mention of this vulnerability (as of 20th Sep 2024, 2:32 pm PT)
Check it out - https://arc.net/security
Apparently the company had contracted with one Latacora for "regular outside security reviews and trainings across a wide range of different systems".
Elsewhere on the page, it says "Arc uses GCP Firebase for user authentication, storage for Notes & Easels, and Cloud Functions for certain application features like referral code generation. All data stored in Firebase is encrypted-at-rest by default."
The security page explicitly claims that Arc doesn't log what you're doing, giving URLs as an example, but this vulnerability claims every URL is being sent up to Firebase.