Authorized Bugcrowd PoC — Ibotta browser extension
Account-takeover via credentialed cross-origin read. Read-only; results shown on this page only; nothing is sent anywhere.
Authorized security testing (Bugcrowd safe harbor). This page is inert unless opened with
?poc=ibotta-bugcrowd. It performs one read-only GET and displays the
result on this page only. Close the tab to stop. Target read:
…
The Ibotta extension loads bex-iframe.s3.amazonaws.com/index.html, a sandbox that
runs eval/new Function on window.onmessage payloads with
no origin/source check and posts results to window.top with "*". The extension
injects that iframe into this page via the item-tracking flow (background alarm, ~every 5 min, if you
have ≥1 tracked item — it gates on the tracked item's store, never this page's host). This page hijacks the iframe
and drives the extension's credentialed, CORS-bypassing rawFetch to read your authenticated
cross-origin response back — defeating CORS, SameSite and HttpOnly.
Just leave this tab open (~5 min). Focus is not required — the background service worker runs
regardless, the tracking alarm queries all open tabs and uses the first that responds. Don't close this
tab; keeping few other tabs open makes it reliably win the race.
⏳ Waiting for the Ibotta extension's bex-iframe (tracking alarm fires ~every 5 min)…
① Control — this page reads it directly CORS
running…
(pending)
② Via the Ibotta extension credentialed
waiting for the bex-iframe…
(no data captured yet)