+- Dark C0d3rs (https://darkcoders.wiki)
+-- Forum: Exploit Log (https://darkcoders.wiki/Forum-Exploit-Log)
+--- Forum: Research Papers/Vulnerability reports (https://darkcoders.wiki/Forum-Research-Papers-Vulnerability-reports)
+--- Thread: HackerOne Disclosed Reports - 2025-10-14 (/Thread-HackerOne-Disclosed-Reports-2025-10-14)
HackerOne disclosed reports - 2025-10-14 - hashXploiter - 10-15-2025
High
resolved
resolved
SameSite restrictions are lifted, and SameSite:Strict cookie are being sent.
Bug reported by mingi was disclosed at October 15, 2025, 5:41 am | Improper Certificate Validation
A vulnerability was discovered where SameSite=Strict cookies were being sent during cross-site navigations, even though they should have been restricted under the SameSite policy. This was caused by the absence of the Sec-Fetch-Site: cross-site header, which is normally used to prevent such bypasses and protect against CSRF attacks. The issue was reported to have been observed in Brave browser version 1.80.120 during a window operation.