CoinMarketCap Doodle Image Vulnerability Triggered Malicious Code Through an API Call
Summary
1. CoinMarketCap discovered a security flaw on June 20, 2025, in a homepage doodle image that executed malicious code through API calls, causing unwanted pop-ups for users.
2. The breach involved a stored XSS attack where the compromised image triggered unauthorized JavaScript execution and API requests, potentially compromising user browser data.
3. The company immediately removed the malicious content, conducted security audits, and implemented enhanced protection measures.CoinMarketCap, one of the world’s leading cryptocurrency data platforms, experienced a security vulnerability on June 20, 2025, when a doodle image on their homepage contained malicious code that triggered unauthorized API calls, resulting in unexpected pop-ups for users.
The company’s security team quickly identified and resolved the issue, implementing comprehensive security measures to prevent similar incidents.
CoinMarketCap XSS Attack
CoinMarketCap’s internal security team first detected the security breach on June 20, 2025, when they identified suspicious activity related to a decorative doodle image displayed prominently on the platform’s homepage.
.png
"CoinMarketCap Doodle Image Vulnerability Triggered Malicious Code Through an API Call 2")
The vulnerability manifested as an XSS (Cross-Site Scripting) attack vector embedded within what appeared to be an innocuous graphical element.
When users visited the homepage, the compromised image executed a malicious payload through an HTTP API endpoint, triggering unauthorized JavaScript execution that generated unexpected pop-up windows.
The attack vector exploited DOM manipulation techniques, where the doodle image contained embedded code that made unauthorized RESTful API calls to external servers.
This type of vulnerability, classified as a stored XSS attack, posed significant risks to user security as it could potentially harvest session tokens, cookies, or other sensitive browser data through the malicious API requests.
Upon discovery, CoinMarketCap’s incident response team implemented immediate containment protocols.
The problematic doodle image was removed from the homepage within minutes of detection, and the development team initiated a comprehensive code audit of all user-facing assets.
The security team traced the root cause to insufficient input validation and content security policy (CSP) enforcement on uploaded media assets.
The company deployed enhanced web application firewall (WAF) rules to filter potentially malicious requests and implemented stricter CORS (Cross-Origin Resource Sharing) policies to prevent unauthorized API access.
Additionally, they strengthened their Content Security Policy headers and introduced real-time monitoring of all DOM events and XMLHttpRequest activities to detect similar attack patterns.
Enhanced Security Measures
CoinMarketCap has confirmed that all systems are now fully operational following the implementation of comprehensive security patches.
The platform has undergone extensive penetration testing and vulnerability scanning to ensure no residual security gaps remain. Enhanced API rate limiting and authentication protocols have been deployed to prevent similar exploitation attempts.
The company’s security team continues monitoring user feedback through their support channels while maintaining heightened surveillance of network traffic patterns and HTTP request anomalies.
Users can now safely access the platform with confidence, as the implemented security measures include real-time threat detection, improved session management, and strengthened endpoint security protocols that provide robust protection against future XSS and API-based attacks.
Are you from SOC/DFIR Teams! - Interact with malware in the sandbox and find related IOCs. - Request 14-day free trial
