Insecure CORS, origin echoed with credentials allowed
The Segment.io analytics endpoint dynamically reflected the Origin header while allowing credentials, enabling arbitrary websites to make authenticated cross-origin requests and potentially exfiltrate user data.
Description
The Segment.io analytics endpoint integrated with the platform reflected whatever Origin header was sent on the request, while also setting Access-Control-Allow-Credentials: true. This combination allows arbitrary websites to make cross-origin requests with cookies/credentials attached, effectively bypassing the same-origin policy for that endpoint.
Impact
A malicious site can make credentialed cross-origin requests to the analytics endpoint and read responses. Depending on what the endpoint exposes to authenticated callers, this enables data exfiltration of analytics or user-attributable telemetry.
Recommendation
- Replace the reflected-origin pattern with an explicit allowlist of trusted origins.
- Never combine reflected origin with
Access-Control-Allow-Credentials: true. If credentials are required, the origin must be a single, fixed, trusted value. - Audit other third-party endpoints in scope for the same misconfiguration.
Ipal Network: Confirmed. Zealynx: Fixed.