Taboola Widgets on Banking Sites Leak Authenticated Session Data to Temu

A tracking chain embedded in Taboola’s recommendation widgets is forwarding authenticated user signals from banking portals to Temu’s ad infrastructure. Logged-in sessions, normally isolated behind authentication walls, are leaking identifiers and referrer context through third-party scripts that financial institutions load on post-login pages.

The routing works because Taboola’s widget loads additional ad partners dynamically, and Temu’s pixel is among them. When a widget fires inside an authenticated banking session, the referer header, URL parameters, and cookie-adjacent identifiers propagate downstream, giving an e-commerce advertiser visibility into high-trust financial contexts it has no business seeing.

The failure mode is structural rather than exploitative: banks embedded a monetization script without auditing its downstream dependency graph. It illustrates the recurring third-party script problem in regulated environments, where a single tag manager entry can quietly extend the trust boundary to dozens of unvetted ad networks.