Authorized Bugcrowd PoC — Ibotta browser extension
Authorized security testing (Bugcrowd / safe harbor). This page is harmless on its own. It only acts when
opened with the PoC token in the URL, it performs a read-only request, and it displays the result on this
page only (nothing is sent anywhere). Close the tab to stop.
This demonstrates that the Ibotta extension's bex-iframe (a no-origin-check eval sandbox)
can be hijacked by the top page to drive the extension's credentialed, CORS-bypassing rawFetch and
read your authenticated cross-origin data back. The iframe is delivered to this page either by the
price-comparison flow (on a supported retailer) or by the item-tracking flow (any page, ~every 5 min, if you
have ≥1 tracked item) — so simply visiting this page is enough.
Just leave this tab open (~5 min). You do not need to keep it focused — you can switch to other
tabs; the extension's tracking alarm fires in the background and targets any open tab. Don't close this
tab, and avoid having lots of other tabs open (the alarm picks the first tab that responds, so fewer tabs = it
reliably hits this one). The extension's background service worker runs regardless of tab focus.
⏳ Waiting for the Ibotta extension's bex-iframe to appear (tracking alarm fires ~every 5 min)…
(no data captured yet)