A CORS misconfiguration on api.artsy.net allows attackers to exfiltrate authenticated user credentials and sensitive data (email, phone, authentication tokens, etc.) by hosting malicious JavaScript that exploits the overly permissive Access-Control-Allow-Credentials and Access-Control-Allow-Origin headers.
A researcher exploited CORS misconfiguration combined with reflected XSS on a Netgear subdomain to extract sensitive user data (email, age, gender, DOB) by sending malicious links that executed JavaScript in the attacker's context and exfiltrated API responses. The vulnerability required an endpoint that accepted subdomain origins and an XSS vulnerability on a whitelisted subdomain to execute the data theft payload.
Ron Chan discovered an SSRF vulnerability in Google Cloud Platform's Stackdriver Debug feature that allowed attackers to intercept OAuth access tokens from Bitbucket, GitHub, or GitLab by exploiting an unvalidated URL parameter in the resource listing endpoint, which forwarded requests with the user's authorization token to arbitrary attacker-controlled servers.
A security researcher discovered a CORS misconfiguration on a mobile app API that accepted arbitrary origins and included Access-Control-Allow-Credentials, allowing credential-based requests from attacker-controlled domains. Despite identifying the vulnerability, exploitation was limited due to high attack complexity (API only accessible in mobile app), though a proof-of-concept demonstrated the ability to exfiltrate sensitive account information when credentials were available in the browser.
Cloudflare implements RFC 9457-compliant structured error responses (JSON/Markdown) for AI agents instead of HTML, reducing token consumption by 98% and improving agent control flow reliability.