TikTok fixes vulnerability that could have exposed user activity data

Video-sharing social media platform TikTok has fastened a doubtlessly harmful vulnerability in its utility that could have allowed a malicious actor to view and monitor user activity on cellular and desktop units.

Discovered by pink teamers working at Imperva – a provider of data safety choices – the bug was attributable to a window message occasion handler which didn’t correctly validate the origin of messages, which gave attackers entry to delicate user data, defined researcher Ron Masas.

“In recent years, web applications have become increasingly complex, with developers leveraging various APIs [application programming interfaces] and communication mechanisms to enhance functionality and user experience,” he stated.

“One area that has drawn our attention is message event handlers. Based on our experience, these handlers are often overlooked as potential sources of security vulnerabilities, even though they handle input from external sources.”

In this occasion, the issue lay within the PostMessage, or HTML5 Web Messaging API. This is a communication mechanism that allows completely different home windows or iframes to conduct cross-origin communications securely in an online app.

This permits scripts from separate origins to trade messages to beat restrictions imposed by Same-Origin Policies, which restrict data-sharing between completely different sources.

Masas and his workforce discovered a script in TikTok’s internet utility used for user monitoring, which contained a message occasion handler used to course of sure incoming messages for a client-side caching system.

However, they discovered, this message occasion handler was not validating the origin of incoming messages correctly, which means it could be susceptible to exploitation by menace actors. They moreover discovered the handler despatched again delicate user data in response to those messages.

“By exploiting this vulnerability, attackers could send malicious messages to the TikTok web application through the PostMessage API, bypassing the security measures,” stated Masas.

“The message event handler would then process the malicious message as if coming from a trusted source, granting the attacker access to sensitive user information.”

The data exposed by this technique could have included data on the sufferer’s system, resembling system sort, working system and browser particulars; which movies they’d considered and for the way lengthy; their account data, together with username, movies uploaded, and different particulars; and search queries they’d entered into TikTok.

This data could have been used for functions resembling focused phishing assaults, identification theft and even blackmail, and thus the vulnerability could have proved immensely beneficial to a cyber felony.

“The Imperva Red Team notified TikTok of the vulnerability, which was promptly fixed. We would like to thank TikTok for their quick response and cooperation,” stated Masas. “It was a privilege to work along with the TikTok safety workforce to assist make TikTok a safer platform for its customers.

“This disclosure serves as a reminder of the importance of proper message origin validation and the potential risks of allowing communication between domains without appropriate security measures,” he added.

Read extra on Web utility safety

• France newest to ban TikTok on authorities units

  

  By: Alex Scroxton

• BBC cracks down on TikTok after assessment

  

  By: Alex Scroxton

• TikTok banned on UK authorities units

  

  By: Alex Scroxton

• Chrome vulnerability could have led to widespread data theft

  

  By: Alex Scroxton