Expected Findings
- `message` listener does not validate `event.origin`.
- Action handler executes privileged side effects on any message.
- Same listener is reused on dashboard and account pages.
Embedded Widget
postMessage No Origin
The parent page accepts `postMessage` events without checking `event.origin`, so any framing site can ask it to perform privileged actions.
postMessage listener
listening...
Primary Flows
- Widget iframe Sends a hostile postMessage
- Listener source Shows missing origin check
Signals
Bug
window.addEventListener("message", e => handle(e.data)) // no e.origin check