Tiktok Resolves Dangerous Vulnerability in App
Tiktok has eliminated a dangerous vulnerability in its application that could have allowed attackers to track users’ actions. The flaw was discovered by specialists at the cybersecurity company Imperva, who notified Tiktok of the issue. According to Imperva, the vulnerability was in the event handler, which did not properly check the source of messages, providing cybercriminals access to users’ confidential information.
Web applications have become increasingly complex in recent years, and developers use various application programming interfaces (APIs) and communication mechanisms to enhance application functionality and user convenience. Event handlers enable complex applications to manage input data from external sources.
One problematic mechanism is the Postmessage (HTML5 Web Messaging API), which is a communication mechanism that allows different windows to exchange data between sources in a web implementation. Postmessage allows scenarios from different sources to exchange messages to overcome the restrictions imposed by a policy of unified origin (Same-origin Policy, SOP) that limits the exchange of data between different sources.
Moreover, the vulnerability allowed attackers to send malicious messages to the Tiktok web application via the API Postmessage to bypass safety measures. The event processor processes a malicious message as if it came from a reliable source, giving hackers access to the user’s confidential information.
Attackers could obtain information about the victim’s device, including the type of device, operating system, and browser, as well as which video users watched and for how long. They could also obtain information about the account, including the user name, uploaded videos, and other data, and search queries in Tiktok. The information obtained could be used to launch targeted phishing attacks, steal personal data, or even engage in blackmail.
With this in mind, Tiktok promptly resolved the vulnerability and thanked Imperva for notifying them of the flaw. Users can continue to enjoy the application with confidence that their data is secure.