A critical authentication bypass vulnerability in Companies House allowed unauthenticated access to any company's dashboard by using the browser back button after failing authentication. The flaw exposed personal information (home addresses, email, full dates of birth) for 5 million directors and enabled editing of company details and filing of accounts.
A CORS misconfiguration in Twitter's niche platform allowed attackers to bypass origin validation by leveraging subdomain prefix matching (niche.co.evil.net) to steal private user data including images, emails, and CSRF tokens synced from Facebook, Instagram, and Twitter. The vulnerability was exploited via a simple JavaScript POC that exfiltrated sensitive information when visited by logged-in users.