[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"tag:pci-dss":3},{"tag":4,"articles":8,"awareness":18,"events":19,"tips":20,"focus_items":21,"total_count":22},{"slug":5,"name":6,"description":7},"pci-dss","PCI-DSS","Payment Card Industry Data Security Standard",[9],{"id":10,"title":11,"slug":12,"brief":13,"ai_summary":14,"url":15,"image_url":16,"published_at":17},"5c7d3a61-2acd-4264-bbb4-2eb713b35317","Hidden Passenger? How Taboola Routes Logged-In Banking Sessions to Temu","hidden-passenger-how-taboola-routes-logged-in-banking-sessions-to-temu-e84425","Taboola pixel redirects logged-in banking sessions to Temu tracking without consent or knowledge.","During a February 2026 audit of a European financial platform, security researchers discovered that an approved Taboola pixel was silently redirecting authenticated banking users to a Temu tracking endpoint via a 302 redirect chain, complete with credentials headers. The redirect chain exploited a \"first-hop bias\" vulnerability in WAFs, CSP policies, and static analyzers, which only validate the declared origin (Taboola) but fail to inspect runtime destinations. This constitutes GDPR transparency violations (Art. 13) and potential data transfer violations (Chapter V), plus PCI DSS Req. 6.4.3 breaches, as users were never informed and the fourth-party relationship involved non-adequate jurisdictions.","https:\u002F\u002Fthehackernews.com\u002F2026\u002F04\u002Fhidden-passenger-how-taboola-routes.html","https:\u002F\u002Fblogger.googleusercontent.com\u002Fimg\u002Fb\u002FR29vZ2xl\u002FAVvXsEiaSzIRGweO7UJkqOLQTUDsqPy53XtIWCzyLklGJLfFxhneZiFpxg8zJRXukUqEsT4TbdFwUZbvTfwuexfGuiYjcDQ-iZDjqwZ2lDlCIhgopZWevBpdi4rr6GxgXpU6MmFnzdMpq_WGdA9PRfaNw_7eDAOugAV1tccfmREgbXveM1N15G2_L9lFxCq1Pv0\u002Fs1600\u002Freflectiz.jpg","2026-04-16T10:30:00+00:00",[],[],[],[],1]