Taboola pixel runtime redirect chain to Temu tracking endpoint on logged-in banking pages
Technical Analysis
Summary
Hide ▲
Show ▼
A February 2026 audit found a bank-approved Taboola pixel on logged-in banking pages that redirected browsers to a Temu tracking endpoint, exposing a first-hop trust blind spot on an authenticated financial platform. The chain used a 302 redirect and Access-Control-Allow-Credentials: true, letting the browser inherit trust beyond the original allow-list entry. Common WAFs, static analysis, and CSP allow-lists can miss the terminal destination when they only inspect the first hop.
Related Happenings
WebRTC payment skimmer
Malware Activity
First: 26.03.2026 08:53
Last: 26.03.2026 08:53
Sources 1
About this happening:
A **new payment skimmer** has been identified using **WebRTC data channels** to load payloads and steal payment data from **e-commerce sites**, bypassing common security controls....
WebRTC payment skimmer
Malware ActivityAbout this happening: A **new payment skimmer** has been identified using **WebRTC data channels** to load payloads and steal payment data from **e-commerce sites**, bypassing common security controls....
Major web skimming campaign targeting payment networks
Campaign
First: 13.01.2026 19:30
Last: 13.01.2026 19:30
Sources 1
About this happening:
A **long-running Magecart web-skimming campaign** has been active since **2022** and targets checkout flows tied to **American Express, Diners Club, Discover, JCB, Mastercard, and...
Major web skimming campaign targeting payment networks
CampaignAbout this happening: A **long-running Magecart web-skimming campaign** has been active since **2022** and targets checkout flows tied to **American Express, Diners Club, Discover, JCB, Mastercard, and...
Obfuscated web skimmer payload targeting Stripe checkout forms
Malware Activity
First: 13.01.2026 19:30
Last: 13.01.2026 19:30
Sources 1
About this happening:
**Silent Push** disclosed a **Magecart**-style **web skimming campaign** that has operated since **2022** and targets **e-commerce checkout pages** tied to at least **six major pa...
Obfuscated web skimmer payload targeting Stripe checkout forms
Malware ActivityAbout this happening: **Silent Push** disclosed a **Magecart**-style **web skimming campaign** that has operated since **2022** and targets **e-commerce checkout pages** tied to at least **six major pa...
Timeline
-
16.04.2026 13:30 2 articles · 1mo ago
Taboola pixel redirect disclosure
Initial DisclosureReflectiz disclosed that during a February 2026 audit of a European financial platform, a bank-approved Taboola pixel on logged-in banking pages sent a GET request to `https://sync.taboola.com/sg/temurtbnative-network/1/rtb/`, received a 302 Found to `https://www.temu.com/api/adx/cm/pixel-taboola?...`, and carried `Access-Control-Allow-Credentials: true`, allowing the browser to inherit trust past the approved first hop and reach Temu with credentials; WAFs, static analysis, and CSP allow-lists were identified as blind to the terminal redirect destination.
Show sources
- Hidden Passenger? How Taboola Routes Logged-In Banking Sessions to Temu — thehackernews.com — 16.04.2026 13:30
- Hidden Passenger? How Taboola Routes Logged-In Banking Sessions to Temu — thehackernews.com — 16.04.2026 13:30