Outside of my wheelhouse, but is the actual vulnerability here that legit domain has a legit subdomain CNAME record pointing at uncontrolled endpoint; $BAD_PERSON registers target domain and then tricks a user into hitting endpoint with credentials in cookies?