In 2022, a researcher discovered that a major fintech API platform had a CORS misconfiguration that allowed any website to make authenticated cross-origin requests and read the responses. The API handled financial transactions and account data for millions of users.

The researcher created a simple proof-of-concept webpage. When any logged-in user visited it, the page silently made a request to the fintech API using the victim's browser cookies — and displayed all their account data. No XSS. No malware. Just a misconfigured HTTP header.

What is CORS?

Browsers enforce the Same-Origin Policy (SOP) — by default, a script on evil.com cannot make a request to bank.com and read the response. This protects users from malicious websites reading their data from other sites.

CORS (Cross-Origin Resource Sharing) is a system that lets servers relax this restriction for legitimate use cases. A server adds special headers telling the browser which origins are allowed to read the response:

Access-Control-Allow-Origin: https://trusted-partner.com
Access-Control-Allow-Credentials: true

This is useful — it lets app.company.com make API calls to api.company.com. But when misconfigured, it lets any website do the same.

Access-Control-Allow-Origin: *

Access-Control-Allow-Origin: [reflects req.origin]\nAccess-Control-Allow-Credentials: true

Access-Control-Allow-Origin: null\nAccess-Control-Allow-Credentials: true

Access-Control-Allow-Origin: *.company.com