Black & White Path

Jun 23, 2026 · Information Security

Bypassing SameSite Lax via Top‑Level Redirect: Web Cache Deception Attack Worth $2,000

Security researcher tinopreter discovered a high‑severity web cache deception vulnerability on a self‑registration booking platform, where cached home pages leaked JWTs and, by exploiting SameSite Lax defaults with a top‑level navigation redirect, allowed account hijacking and earned a $2,000 bounty.