Dark C0d3rs

Dark C0d3rs > Exploit Log > Research Papers/Vulnerability reports > HackerOne Disclosed Reports - 2025-10-14
Full Version: HackerOne Disclosed Reports - 2025-10-14
You're currently viewing a stripped down version of our content. View the full version with proper formatting.

hashXploiter

10-15-2025, 12:30 PM
Logo
High
resolved

SameSite restrictions are lifted, and SameSite:Strict cookie are being sent.


Bug reported by mingi was disclosed at October 15, 2025, 5:41 am   |   Improper Certificate Validation

A vulnerability was discovered where SameSite=Strict cookies were being sent during cross-site navigations, even though they should have been restricted under the SameSite policy. This was caused by the absence of the Sec-Fetch-Site: cross-site header, which is normally used to prevent such bypasses and protect against CSRF attacks. The issue was reported to have been observed in Brave browser version 1.80.120 during a window operation.


Dark C0d3rs > Exploit Log > Research Papers/Vulnerability reports > HackerOne Disclosed Reports - 2025-10-14