PoC — tkm.bitgo.com postMessage origin-allowlist bypass (substring) → session injection / same-origin XSS

Must be served from an origin whose host contains a whitelisted substring.
Intended host: https://tm.bitgowealthmanagement.com.gr3me.co.uk/ — its origin contains tm.bitgowealthmanagement.com, so the vulnerable isLegacySubdomain (Sk) check passes. Serving this from any other origin (e.g. localhost) will be correctly rejected — that is the control case.

Run

Click a button (a user gesture is required so the popup isn't blocked). Allow popups for this site if prompted.

Session-injection stores an attacker-controlled authUser into the victim's tkm.bitgo.com localStorage (login CSRF / session fixation) — inspect localStorage.authUser in the popup's devtools afterward.
XSS sets uiHost to a javascript: URI; the app's own route guard runs location.replace(`${uiHost}/login?error=wrong-url`), executing our script in the tkm.bitgo.com origin. This page then receives a beacon the payload posts back — proving execution.