CyberHappenings logo
Home Browse Watchlists Experimental About

Track cybersecurity events as they unfold. Sourced timelines. Filter, sort, and browse. Fast, privacy‑respecting. No invasive ads, no tracking.

Undisclosed Redirect Chain Enables Cross-Origin Tracking via Taboola-to-Temu Pixel on Authenticated Banking Pages

First reported
Last updated
1 unique sources, 1 articles

Summary

Hide ▲

A tracked redirect chain from Taboola’s sync endpoint to Temu’s tracking infrastructure was observed executing on logged-in banking pages across a European financial platform in February 2026. The chain leveraged a 302 redirect and CORS credentials header to enable cross-origin cookie access, allowing Temu to associate authenticated session behavior with tracking identifiers without explicit user consent or bank knowledge. Conventional security controls including WAFs, static analyzers, and CSP allow-lists failed to detect the outbound runtime behavior due to reliance on declared origins rather than terminal destinations.

Timeline

  1. 16.04.2026 13:30 1 articles · 4h ago

    Cross-Origin Session Tracking Enabled via Taboola-to-Temu Redirect Chain on Authenticated Banking Pages

    A redirect chain starting at sync.taboola.com redirected logged-in banking users to temu.com/api/adx/cm/pixel-taboola with Access-Control-Allow-Credentials: true enabled. This allowed Temu to access cookies during authenticated sessions, associating user behavior with tracking identifiers without user consent or bank visibility. The chain evaded detection by WAFs, static analyzers, and CSP allow-lists, which evaluated only declared origins rather than runtime redirect destinations.

    Show sources
    Open in new tab

Information Snippets

  • During a February 2026 audit, a redirect chain was identified starting at https://sync.taboola.com/sg/temurtbnative-network/1/rtb/ with a 302 Found response redirecting to https://www.temu.com/api/adx/cm/pixel-taboola?... on logged-in banking pages.

    First reported: 16.04.2026 13:30
    1 source, 1 article
    Show sources

  • The redirect included the header Access-Control-Allow-Credentials: true, instructing the browser to include cookies in cross-origin requests to Temu’s domain.

    First reported: 16.04.2026 13:30
    1 source, 1 article
    Show sources

  • Conventional security tools such as WAFs, static analyzers, and CSP allow-lists failed to detect the redirect chain because they evaluate declared script origins rather than runtime terminal destinations.

    First reported: 16.04.2026 13:30
    1 source, 1 article
    Show sources

  • The redirect chain enabled Temu to read or write tracking identifiers for users who were actively logged into banking sessions, associating authenticated behavior with PDD Holdings’ tracking profiles.

    First reported: 16.04.2026 13:30
    1 source, 1 article
    Show sources

  • For regulated financial entities, the absence of direct credential theft does not mitigate compliance exposure; the routing involved infrastructure in a non-adequate jurisdiction and lacked Standard Contractual Clauses for the fourth-party relationship under GDPR Chapter V.

    First reported: 16.04.2026 13:30
    1 source, 1 article
    Show sources

  • The configuration affects thousands of websites where the Taboola pixel is deployed, raising systemic exposure across sectors that rely on third-party tracking pixels on authenticated pages.

    First reported: 16.04.2026 13:30
    1 source, 1 article
    Show sources