A CORS misconfiguration in Twitter's niche platform allowed attackers to bypass origin validation by leveraging subdomain prefix matching (niche.co.evil.net) to steal private user data including images, emails, and CSRF tokens synced from Facebook, Instagram, and Twitter. The vulnerability was exploited via a simple JavaScript POC that exfiltrated sensitive information when visited by logged-in users.
Researcher demonstrates escalation of a subdomain takeover on impact.postmates.com (GitHub pages vulnerability) into session cookie theft by leveraging document.domain relaxation in the parent domain postmates.com, enabling account takeover despite the subdomain being out-of-scope. The technique exploits the fact that if the main domain explicitly sets document.domain, a compromised subdomain can set it to match and access sensitive cookies via JavaScript.
Multiple DOM-based XSS vulnerabilities discovered in iframe buster implementations from major ad tech vendors (Adform, Eyeblaster, Adtech) due to weak regex and whitelist validation on user-controlled parameters, allowing attackers to inject arbitrary JavaScript on top-tier publisher sites.
A researcher chained two XSSi (Cross-Site Script Inclusion) vulnerabilities at Yahoo to steal user account information by extracting a valid crumb token from a dynamic JavaScript file and using it in a JSONP endpoint request, earning a $750 bounty.