Hidden Passenger? How Taboola Routes Logged-In Banking Sessions to Temu

The recent Reflectiz audit uncovered a subtle yet serious data‑flow issue on a European bank’s website. A Taboola tracking pixel, approved in the site’s Content Security Policy, issued a GET request that received a 302 redirect to a Temu endpoint. Because the redirect carried the header Access‑Control‑Allow‑Credentials:true, the browser attached the user’s authenticated cookies to the cross‑origin request, allowing Temu to link a banking session with its advertising profile. The entire chain occurs client‑side, invisible to traditional inbound‑traffic monitors.

Most security stacks evaluate only the declared origin of a script, assuming that a CSP whitelist guarantees safety for every subsequent request. This “first‑hop bias” leaves browsers free to follow any number of redirects, effectively extending trust to domains that were never vetted. Web‑application firewalls, static code scanners, and even advanced CSP reporting tools fail to capture outbound redirects that happen after the initial request. Organizations must adopt runtime‑behavior monitoring, such as client‑side telemetry or redirect‑chain analysis, to surface hidden data exfiltration paths before they reach third‑party trackers.

The regulatory fallout is equally stark. Under GDPR Article 13, users must be informed of any profiling that links their banking activity to external advertisers, a requirement the bank clearly violated. Moreover, the transfer to Temu—hosted in a jurisdiction without an EU adequacy decision—fails to meet the safeguards of Article 24 and Chapter V without a proper Standard Contractual Clause. PCI DSS Requirement 6.4.3 also mandates visibility into all fourth‑party connections. To remediate, firms should audit every third‑party pixel, enforce strict redirect‑blocking policies, and integrate real‑time monitoring into their compliance workflows.