🔓 PostMessage Security Vulnerability - Proof of Concept

⚠️ Vulnerability: Insecure postMessage with Wildcard Origin

Target: https://borrower-portal-sec.saltlndg.io/jumio

Issue: The page uses window.parent.postMessage(message, '*') with wildcard origin

Impact: Any malicious website can frame this page and intercept sensitive verification messages

CVSS: 5.3 (Medium) - CWE-345: Insufficient Verification of Data Authenticity

🎯 How This Exploit Works

  1. Attacker creates a malicious page (this page)
  2. Page sets up a message event listener
  3. Page embeds the vulnerable Jumio callback in an iframe
  4. Iframe loads and executes JavaScript
  5. JavaScript calls postMessage('success'/'failure', '*')
  6. Attacker's listener receives the message from ANY origin
  7. Attacker learns if identity verification succeeded/failed

🔬 Live Exploit Demonstration

0
Success Messages
0
Failure Messages
0
Total Messages

📨 Intercepted Messages:

Waiting for messages... Click a button above to load the vulnerable iframe.

🖼️ Embedded Vulnerable Page:

📝 Vulnerable Code

// From: https://borrower-portal-sec.saltlndg.io/jumio
const success = getQueryStringValue('transactionStatus') === 'SUCCESS'
const referenceId = getQueryStringValue('referenceId')

window.axios.post(endpointUrl).then(function() {
    if (success) {
      // ⚠️ VULNERABILITY: Wildcard origin '*' accepts any receiver
      window.parent.postMessage('success', '*');
    } else {
      window.parent.postMessage('failure', '*');
    }
  }).catch(function() {
    if (success) {
      window.parent.postMessage('success', '*');  // ⚠️ Insecure
    } else {
      window.parent.postMessage('failure', '*');  // ⚠️ Insecure
    }
  })

🛡️ Remediation

Fix: Specify the exact target origin instead of wildcard:

// ✅ SECURE: Specify exact origin
window.parent.postMessage('success', 'https://borrower-portal-sec.saltlndg.io');

// ❌ INSECURE: Never use wildcard for sensitive data
window.parent.postMessage('success', '*');

Additional Recommendations: