{“lastseen”:”2026-04-16T10:43:33″,”description”:”\\n\\nA bank approved a Taboola pixel. That pixel quietly redirected logged-in users to a Temu tracking endpoint. This occurred without the bank\u2019s knowledge, without user consent, and without a single security control registering a violation.\\n\\n\\n\\n### **\\n\\n\\u003e Read the full technical breakdown in the Security Intelligence Brief.Download now \u2192\\n\\n**\\n\\n## **The \\”First-Hop Bias\\” Blind Spot**\\n\\nMost security stacks, including WAFs, static analyzers, and standard CSPs, share a common failure mode: they evaluate the **declared origin** of a script, not the **runtime destination** of its request chain.\\n\\nIf sync.taboola.com is in your Content Security Policy (CSP) allow-list, the browser considers the request legitimate. However, it does not re-validate against the terminal destination of a **302 redirect**. By the time the browser reaches temu.com, it has inherited the trust granted to Taboola.\\n\\n\\n\\n## **The Forensic Trace**\\n\\nDuring a February 2026 audit of a European financial platform, Reflectiz identified the following redirect chain executing on logged-in account pages:\\n\\n 1. **Initial Request:** A GET request to https:\/\/sync.taboola.com\/sg\/temurtbnative-network\/1\/rtb\/.\\n 2. **The Redirect:** The server responded with a **302 Found** , redirecting the browser to https:\/\/www.temu.com\/api\/adx\/cm\/pixel-taboola?….\\n 3. **The Payload:** The redirect included the critical header Access-Control-Allow-Credentials: true.\\n\\n\\n\\nThis header specifically instructs the browser to include cookies in the cross-origin request to Temu\u2019s domain. This is the mechanism by which Temu can read or write tracking identifiers against a browser it now knows visited an authenticated banking session.\\n\\n\\n\\n### **Why Conventional Tools Missed It**\\n\\n“`html Tool | Why it Fails \\n—|— \\nWAF | Inspects inbound traffic only; misses outbound browser-side redirects. \\nStatic Analysis | Sees the Taboola code in the source but cannot predict runtime 302 destinations. \\nCSP Allow-lists | Trust is transitive; the browser follows the redirect chain automatically once the first hop is approved. \\n“` \\n\\n## **The Regulatory Fallout**\\n\\nFor regulated entities, the absence of direct credential theft does not limit the compliance exposure. Users were never informed their banking session behavior would be associated with a tracking profile held by PDD Holdings \u2014 a transparency failure under GDPR Art. 13. The routing itself involves infrastructure in a non-adequate country, and without Standard Contractual Clauses covering this specific fourth-party relationship, the transfer is unsupported under GDPR Chapter V. \\”We didn’t know the pixel did that\\” is not a defense available to a data controller under Art. 24.\\n\\nThe PCI DSS exposure compounds this. A redirect chain terminating at an unanticipated fourth-party domain falls outside the scope of any review that evaluated only the primary vendor \u2014 which is precisely what Req. 6.4.3 was written to close.\\n\\n## **Inspect Runtime, Not Just Declarations**\\n\\nRight now, the same Taboola pixel configuration runs on thousands of websites. The question isn’t whether redirect chains like this are happening. They are. The question is whether your security stack can see past the first hop \u2014 or whether it stops at the domain you approved and calls it done.\\n\\n**For security teams:** inspect runtime behavior, not just declared vendor lists. \\n\\n**For legal and privacy teams:** browser-level tracking chains on authenticated pages warrant the same rigor as backend integrations.\\n\\n**The threat entered through the front door. Your CSP let it in.**\\n\\n\\n\\n### **\\n\\n\\u003e The full technical evidence log is in the Security Intelligence Brief. Download it here \u2192\\n\\n**\\n\\nFound this article interesting? This article is a contributed piece from one of our valued partners. Follow us on Google News, Twitter and LinkedIn to read more exclusive content we post.\\n”,”published”:”2026-04-16T10:30:00″,”modified”:”2026-04-16T10:30:00″,”type”:”thn”,”title”:”Hidden Passenger? How Taboola Routes Logged-In Banking Sessions to Temu”,”source”:””,”references”:””,”id”:”THN:734741AB69E10E8431C0E37B2DE9149D”,”bulletinFamily”:”info”,”cwe”:null,”cvelist”:[],”sourceData”:””,”sourceHref”:””,”cvss”:{“score”:0,”severity”:”NONE”,”vector”:”NONE”,”version”:”NONE”},”cvss2″:{},”cvss3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””,”cvssV3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””}},”href”:”https:\/\/thehackernews.com\/2026\/04\/hidden-passenger-how-taboola-routes.html”,”category_name”:”News”,”post_link”:””,”product”:””,”version”:””,”vendor”:””,”ai_description”:””,”ai_severity”:””,”ai_vendor”:””,”ai_product”:””,”ai_version”:””,”ai_score”:0}<\/p>\n","protected":false},"excerpt":{"rendered":"
{“lastseen”:”2026-04-16T10:43:33″,”description”:”\\n\\nA bank approved a Taboola pixel. That pixel quietly redirected logged-in users to a Temu tracking endpoint. This occurred without the bank\u2019s knowledge, without user…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[4],"tags":[6,8,12,13,33,7,11,43,5],"class_list":["post-47424","post","type-post","status-publish","format-standard","hentry","category-category_news","tag-cve","tag-cvss","tag-exploit","tag-news","tag-none","tag-security","tag-tapic","tag-thn","tag-vulnerability"],"yoast_head":"\n