A critical CORS misconfiguration allowed stealing authentication tokens by abusing a wildcard-like origin match and Access-Control-Allow-Credentials: true.

A real-world case where UI-level permission controls were not enforced at the API level, allowing message sending and user impersonation.