When hunting for vulnerabilities, interacting with a website like a normal user can help to discover interesting new endpoints.
A POST request was made from [redacted.com/account/profile] to [redacted_auth.com/api/v1/profile], which reflected user session cookies in its response.
Furthermore, the endpoint would also reflect any provided origin as an Access-Control-Allow-Origin header, expanding the attack surface.
Combining these vulnerabilities could allow an attacker to hijack a user’s session.
This would give them full account takeover (ATO) privileges.
After 2 weeks of hunting, an XSS vulnerability was found in a subdomain that allowed the attacker to steal a JWT and perform ATO.
The takeaway is to avoid reflecting session cookies in requests and to ensure that CORS headers are properly configured to prevent misconfiguration.