Plaid TABE — Same-Origin XSS on cdn.plaid.com
window.location.assign() — works in Chrome, Firefox, Safari, Edge
What this proves
Arbitrary JavaScript execution in the cdn.plaid.com origin.
The attacker controls the redirect_uri parameter and the JWT tabe_uri field.
No signature verification on the JWT. No scheme validation on redirect_uri.
Steps to trigger
- Click the red button below — it opens
cdn.plaid.com with the crafted parameters.
- A bank login screen ("Demo Bank") appears — this is the TABE credentials pane rendered by Plaid's real code.
- Click the X (close button) in the top-right corner.
- An exit confirmation appears: "Are you sure you want to exit?"
- Click "Yes, exit".
- alert() fires showing cookies — JavaScript executed in cdn.plaid.com origin.
Trigger
Launch XSS PoC
After the credentials pane loads: X → "Yes, exit" → XSS fires
Impact
- Cookie theft — steal
__Secure-sfpc and any other cookies on cdn.plaid.com
- Session fixation via cookie toss — inject attacker's SFPC cookie to hijack bank connections across 8,000+ apps (Venmo, Robinhood, Coinbase, etc.)
- Credential phishing — modify the DOM to capture bank credentials in a legitimate-looking Plaid flow
- Full DOM control — read/write any element, exfiltrate data, redirect user
Sink: window.location.assign(redirectUri) in flink.js
Source: redirect_uri URL parameter — no sanitization
Root cause: JWT decoded with atob(), no signature verification