Exploits CORS * + no default auth + file:// scheme bypass to read local files and exfiltrate to a webhook.