CORS Misconfiguration on www.zomato.com

The website at https://www.zomato.com tries to use Cross-Origin Resource Sharing (CORS) to allow cross-domain access from all subdomains of zomato.com. However, due to a flaw in the implementation, it actually allows cross-domain access from all domains ending in zomato.com including notzomato.com as shown in the attached screenshot. This means anyone who could be bothered registering a domain ending in zomato.com can read arbitrary data from the accounts of other users. To resolve this issue, simply require that origins end in .zomato.com rather than zomato.com