Hyperlines TypeScript Audit and Pentest

• JWT cookie set without security flags, enabling token theft and CSRF (H-01, fixed). The session JWT was stored in a cookie without HttpOnly, Secure, or SameSite attributes, making it readable by client-side JavaScript and exposed to CSRF. Any XSS or malicious third-party script could exfiltrate the token directly via document.cookie.
• Agent private keys persisted in localStorage (H-02, fixed). The app generated trading-agent private keys on the client and stored them in localStorage. Any XSS or compromised browser extension could exfiltrate keys and drain funds or impersonate users.
• CORS misconfiguration on third-party API with reflected origin and credentials allowed (H-03, fixed). The Segment.io analytics endpoint reflected the Origin header while allowing credentials, enabling arbitrary websites to make authenticated cross-origin requests and potentially exfiltrate user data.
• Seven Medium findings covered hardcoded WebSocket endpoints without integrity checks, unvalidated profile fields written to MongoDB, missing explicit TLS enforcement on MongoDB connections (acknowledged), missing security headers (CSP, HSTS, X-Frame-Options, Referrer-Policy), and three separate reflected-parameter XSS vectors across the URL handling layer.
• One Informational finding flagged sensitive objects being logged to the browser console.

Ten findings were fixed; the MongoDB TLS hardening (M-03) was acknowledged as part of broader infrastructure hardening planned outside this engagement.