# humand-web — postMessage token ingestion without origin validation
STATUS: DRAFT
program: humand-web | platform: huntr | repo: HumandDev/humand-web | commit: 2026-02-13-scan

````
Repository URL: https://github.com/HumandDev/humand-web
Package Manager: npm
CVSS: Attack Vector: Network
Title: humand-web — postMessage token ingestion without origin validation
Description:

## huntr Form Fields

```
Package Manager: npm
Version Affected: latest frontend build (observed in 2026-02-13 scan)
Vulnerability Type: Origin Validation Error
CVSS:
  Attack Vector: Network
  Attack Complexity: Low
  Privileges Required: None
  User Interaction: Required
  Scope: Unchanged
  Confidentiality: Low
  Integrity: High
  Availability: None
Title: window.postMessage handler accepts tokens from any origin
```

### Description

# Description

`useMobileToken` attaches a global `message` event listener that trusts message contents but never validates `event.origin`.

Observed pattern:

```ts
const handleMessage = event => {
  if (event.data.type === 'humand') {
    encryptStorage.setItem('accessToken', event.data.token);
  }
};
window.addEventListener('message', handleMessage);
```

Any origin that can obtain a window reference (iframe/opener scenarios) can send a crafted message and replace the victim's stored access token.

# Proof of Concept

1. Host attacker page that opens or iframes the target app context.
2. Send crafted message:

```js
victimWindow.postMessage({ type: 'humand', token: 'ATTACKER_JWT' }, '*');
```

3. Victim app accepts message and stores attacker token.
4. Victim session becomes attacker-controlled context (session fixation / forced-login state).

### Impact

Attackers can force token state changes, resulting in account confusion, session fixation, and unauthorized action attribution. Combined with other flaws (XSS/token leakage), this weakens trust boundaries for mobile bridge auth.

### Occurrences

```
Permalink: <private-repo>/src/hooks/useMobileToken.ts#L6-L12
Description: Message handler writes access token without validating sender origin
```

### References

```
URL: https://cwe.mitre.org/data/definitions/346.html
Name: CWE-346: Origin Validation Error

URL: https://developer.mozilla.org/en-US/docs/Web/API/Window/postMessage
Name: MDN - postMessage security guidance (validate origin)
```
````