@red_sky In this case yeah, but any time I see a vulnerability disclosure and it mentions "Firebase", I immediately assume "oh, ACL misconfiguration" and that guess turns out to be correct basically 100% of the time because Firebase's access control is garbage 🙃

I'm actually pleasantly surprised by Arc, in that they seem to have realized the same thing and are getting rid of Firebase entirely now