⚠ī¸ SECURITY RESEARCH - PROOF OF CONCEPT

This page demonstrates how stolen API credentials can be used to emulate Purolator's webchat widget.

The actual Purolator webchat bundle (webchat-bundle.js) is loaded with injected stolen credentials.

This proves that hardcoded client-side credentials can be extracted and reused to clone functionality.

🔓 Extracted Credentials

Source: Purolator's webchat-purolator.com.js
Application UUID: 8c7481c52661c4933b707a14e6cd22ba
Access Key: 36b788722b860f7dc71a2efac82935a9

Base64 Encoded API Key:

📋 How This Works

  1. Load the real Purolator webchat bundle from CDN
  2. Initialize ChatBot with stolen credentials
  3. Widget connects to OCP.ai WebSocket with our credentials
  4. All tracking queries work through the stolen API keys

Impact: Anyone can extract these credentials and host their own version of Purolator's tracking interface.

🤖 Launch Cloned Widget

Click below to open the webchat widget using stolen credentials: