"Most security stacks, including WAFs, static analyzers, and standard CSPs, share a common failure mode: they evaluate the declared origin of a script, not the runtime destination of its request chain. If sync.taboola.com is in your Content Security Policy (CSP) allow-list, the browser considers the request legitimate. However, it does not re-validate against the terminal destination of a 302 redirect."
"During a February 2026 audit of a European financial platform, Reflectiz identified the following redirect chain executing on logged-in account pages: Initial Request: A GET request to https://sync.taboola.com/sg/temurtbnative-network/1/rtb/. The Redirect: The server responded with a 302 Found, redirecting the browser to https://www.temu.com/api/adx/cm/pixel-taboola?...."
"The redirect included the critical header Access-Control-Allow-Credentials: true. This header specifically instructs the browser to include cookies in the cross-origin request to Temu's domain. This is the mechanism by which Temu can read or write tracking identifiers against a browser it now knows visited an authenticated banking session."
"WAF inspects inbound traffic only; misses outbound browser-side redirects. Static Analysis sees the Taboola code in the source but cannot predict runtime 302 destinations. CSP Allow-lists trust is transitive; the browser follows the redirect chain automatically once the first hop is approved."
A Taboola pixel approved by a bank redirected logged-in users to a Temu tracking endpoint without the bank's knowledge or user consent. Security tools failed to detect this issue due to a common failure mode where they evaluate the declared origin of a script rather than the runtime destination. The redirect chain allowed Temu to access tracking identifiers from authenticated banking sessions, highlighting significant vulnerabilities in conventional security measures and the need for improved oversight in digital tracking practices.
Read at The Hacker News
Unable to calculate read time
Collection
[
|
...
]