TikTok fixes vulnerability that could have exposed user activity data

Video-sharing social media platform TikTok has fixed a potentially dangerous vulnerability in its application that could have allowed a malicious actor to view and monitor user activity on mobile and desktop devices.

Discovered by red teamers working at Imperva – a supplier of data protection offerings – the bug was caused by a window message event handler which did not properly validate the origin of messages, which gave attackers access to sensitive user information, explained researcher Ron Masas.

“In recent years, web applications have become increasingly complex, with developers leveraging various APIs [application programming interfaces] and communication mechanisms to enhance functionality and user experience,” he said.

“One area that has drawn our attention is message event handlers. Based on our experience, these handlers are often overlooked as potential sources of security vulnerabilities, even though they handle input from external sources.”

In this instance, the problem lay in the PostMessage, or HTML5 Web Messaging API. This is a communication mechanism that enables different windows or iframes to conduct cross-origin communications securely in a web app.

This allows scripts from separate origins to exchange messages to overcome restrictions imposed by Same-Origin Policies, which limit data-sharing between different sources.

Masas and his team found a script in TikTok’s web application used for user tracking, which contained a message event handler used to process certain incoming messages for a client-side caching system.

However, they found, this message event handler was not validating the origin of incoming messages properly, meaning it could be vulnerable to exploitation by threat actors. They additionally found the handler sent back sensitive user information in response to these messages.

“By exploiting this vulnerability, attackers could send malicious messages to the TikTok web application through the PostMessage API, bypassing the security measures,” said Masas.

“The message event handler would then process the malicious message as if coming from a trusted source, granting the attacker access to sensitive user information.”

The data exposed by this method could have included information on the victim’s device, such as device type, operating system and browser details; which videos they had viewed and for how long; their account information, including username, videos uploaded, and other details; and search queries they had entered into TikTok.

This information could have been used for purposes such as targeted phishing attacks, identity theft or even blackmail, and thus the vulnerability could have proved immensely valuable to a cyber criminal.

“The Imperva Red Team notified TikTok of the vulnerability, which was promptly fixed. We would like to thank TikTok for their quick response and cooperation,” said Masas. “It was a privilege to work together with the TikTok security team to help make TikTok a more secure platform for its users.

“This disclosure serves as a reminder of the importance of proper message origin validation and the potential risks of allowing communication between domains without appropriate security measures,” he added.