π Account-Takeover PoC β bechtle-poc.arcocyber.com
Bugcrowd program: Sophos · Target: arcocyber.com (Sophos acquisition) · Date: 2026-07-19
What this page proves: This page is served from bechtle-poc.arcocyber.com, a subdomain
that was dangling and claimable (unclaimed Netlify custom domain) and has been taken over. Because it
runs on a *.arcocyber.com origin, its JavaScript is same-site to
auth.arcocyber.com. Combined with the credential-reflecting CORS misconfiguration on
auth.arcocyber.com/refresh_token, this attacker-controlled page can silently read the
logged-in visitor's application JWT and use it to act as them.
Reproduction (for the Sophos triager): In the SAME browser where you are logged into arcocyber / Saepio,
open this page. It will display your own session JWT (stolen cross-origin) and its identity claims below.
A real attacker would exfiltrate it silently. This PoC only displays the token to you and does not send it
anywhere.
The chain (technical)
1. Subdomain takeover: bechtle-poc.arcocyber.com pointed at Netlify with no
site claiming it (canonical Not Found - Request ID + x-nf-request-id). Claimed by attacker β arbitrary JS on a *.arcocyber.com origin.
2. SameSite bypass: the session cookie connect.sid is SameSite=Lax,
which is still sent on same-site requests. bechtle-poc and auth share the
registrable domain arcocyber.com = same site.
3. Credentialed CORS: auth.arcocyber.com/refresh_token reflects the requesting
Origin with Access-Control-Allow-Credentials: true, so this page can read the JSON response.
4. ATO: POST /refresh_token (with credentials) returns {jwt_token} β
the sole credential for api.arcocyber.com/v1/graphql. Attacker replays it = full account/tenant takeover.