Access ControlCVSS 8.8critical
8 min read
The iframe That Could Rewrite Ballot Templates
A government digital services platform trusted every postMessage it received — no origin check, no source validation. Any website could embed the platform in an iframe and send crafted messages to modify sensitive document templates. One missing conditional turned a routine message handler into an access control bypass.
Read case