tkm.bitgo.com postMessage origin-allowlist bypass (substring) → session injection / same-origin XSShttps://tm.bitgowealthmanagement.com.gr3me.co.uk/ — its origin contains
tm.bitgowealthmanagement.com, so the vulnerable isLegacySubdomain (Sk) check passes.
Serving this from any other origin (e.g. localhost) will be correctly rejected — that is the control case.
Click a button (a user gesture is required so the popup isn't blocked). Allow popups for this site if prompted.
Session-injection stores an attacker-controlled authUser into the victim's
tkm.bitgo.com localStorage (login CSRF / session fixation) — inspect
localStorage.authUser in the popup's devtools afterward.
XSS sets uiHost to a javascript: URI; the app's own route guard runs
location.replace(`${uiHost}/login?error=wrong-url`), executing our script in the
tkm.bitgo.com origin. This page then receives a beacon the payload posts back — proving execution.