Abuse of misconfigured Ada support widget iFrame Allowlist leads to oAuth Token leakage
This blog details a flaw in Ada Support’s iframe allowlist where an unclaimed domain was still trusted. Attackers could register it, embed the real support chat, steal OAuth tokens and transcripts, and fully compromise sessions. It stresses monitoring allowlist domains to prevent such risks.
August 27, 2025