Whop Security PoC - Malicious App

Step 1: Cookie Theft

Cookies readable from iframe via document.cookie (shared .whop.com scope):

Extracting...

Step 2: Exfiltration to Attacker Server

Stolen cookies sent to ATTACKER_SERVER/collect:

Waiting...

Step 3: Account Takeover via Server-Side Relay

Attacker server uses stolen cookies + httpOnly cookies (sent automatically with same-site requests) to modify victim's profile.

Relay ATO (Change Profile) Custom Relay

Ready

Step 4: SDK Exploitation - Phishing Redirect

Using @whop/iframe SDK's openExternalUrl to redirect victim to attacker-controlled login page.

Launch Phishing Redirect

Ready

Step 5: Direct CSRF (Same-Site Cookie Inclusion)

All .whop.com cookies (including httpOnly) are automatically included in requests to whop.com from this iframe (same eTLD+1).

Fetch Profile (no-cors) Form POST to Settings GraphQL Query

Ready

Event Log