πŸ”“ Account-Takeover PoC β€” bechtle-poc.arcocyber.com

Bugcrowd program: Sophos · Target: arcocyber.com (Sophos acquisition) · Date: 2026-07-19

Live exploitation result

The chain (technical)

1. Subdomain takeover: bechtle-poc.arcocyber.com pointed at Netlify with no site claiming it (canonical Not Found - Request ID + x-nf-request-id). Claimed by attacker β†’ arbitrary JS on a *.arcocyber.com origin.
2. SameSite bypass: the session cookie connect.sid is SameSite=Lax, which is still sent on same-site requests. bechtle-poc and auth share the registrable domain arcocyber.com = same site.
3. Credentialed CORS: auth.arcocyber.com/refresh_token reflects the requesting Origin with Access-Control-Allow-Credentials: true, so this page can read the JSON response.
4. ATO: POST /refresh_token (with credentials) returns {jwt_token} β€” the sole credential for api.arcocyber.com/v1/graphql. Attacker replays it = full account/tenant takeover.