A CORS misconfiguration on api.artsy.net allows attackers to exfiltrate authenticated user credentials and sensitive data (email, phone, authentication tokens, etc.) by hosting malicious JavaScript that exploits the overly permissive Access-Control-Allow-Credentials and Access-Control-Allow-Origin headers.
A researcher exploited CORS misconfiguration combined with reflected XSS on a Netgear subdomain to extract sensitive user data (email, age, gender, DOB) by sending malicious links that executed JavaScript in the attacker's context and exfiltrated API responses. The vulnerability required an endpoint that accepted subdomain origins and an XSS vulnerability on a whitelisted subdomain to execute the data theft payload.
A security researcher discovered a CORS misconfiguration on a mobile app API that accepted arbitrary origins and included Access-Control-Allow-Credentials, allowing credential-based requests from attacker-controlled domains. Despite identifying the vulnerability, exploitation was limited due to high attack complexity (API only accessible in mobile app), though a proof-of-concept demonstrated the ability to exfiltrate sensitive account information when credentials were available in the browser.