Video-sharing social media platform TikTok has fixed a potentially dangerous vulnerability in its application that could have allowed a malicious actor to view and monitor user activity on mobile and desktop devices.
Discovered by red teamers working at Imperva – a supplier of data protection offerings – the bug was caused by a window message event handler which did not properly validate the origin of messages, which gave attackers access to sensitive user information, explained researcher Ron Masas.
“In recent years, web applications have become increasingly complex, with developers leveraging various APIs [application programming interfaces] and communication mechanisms to enhance functionality and user experience,” he said.
“One area that has drawn our attention is message event handlers. Based on our experience, these handlers are often overlooked as potential sources of security vulnerabilities, even though they handle input from external sources.”
In this instance, the problem lay in the PostMessage, or HTML5 Web Messaging API. This is a communication mechanism that enables different windows or iframes to conduct cross-origin communications securely within a web app.
This allows scripts from separate origins to exchange messages to overcome restrictions imposed by Same-Origin Policies, which limit data-sharing between different sources.
Masas and his team found a script in TikTok’s web application used for user tracking, which contained a message event handler used to process certain incoming messages for a client-side caching system.
However, they found, this message event handler was not validating the origin of incoming messages properly, meaning it could be vulnerable to exploitation by threat actors. They additionally found the handler sent back sensitive user information in response to these messages.
“By exploiting this vulnerability, attackers could send malicious messages to the TikTok web application through the PostMessage API, bypassing the security measures,” said Masas.
“The message event handler would then process the malicious message as if coming from a trusted source, granting the attacker access to sensitive user information.”
The data exposed by this method could have included information on the victim’s device, such as device type, operating system and browser details; which videos they had viewed and for how long; their account information, including username, videos uploaded, and other details; and search queries they had entered into TikTok.
This information could have been used for purposes such as targeted phishing attacks, identity theft or even blackmail, and thus the vulnerability could have proved immensely valuable to a cyber criminal.
“The Imperva Red Team notified TikTok of the vulnerability, which was promptly fixed. We would like to thank TikTok for their quick response and cooperation,” said Masas. “It was a privilege to work together with the TikTok security team to help make TikTok a more secure platform for its users.
“This disclosure serves as a reminder of the importance of proper message origin validation and the potential risks of allowing communication between domains without appropriate security measures,” he added.
Although the vulnerability has been fixed, apparently without incident, the issue is the latest in a long line of data privacy concerns that have resulted in increased scrutiny of TikTok around the world, and has even led to a ban on the service on official UK government devices, as well as similar actions in other countries.
Although many of these privacy concerns related to the supposed links between TikTok’s parent organisation, ByteDance, and the authoritarian Chinese government, this is not the first time a vulnerability that could be of use to cyber criminals has been disclosed in the service.
Last autumn, Microsoft highlighted a vulnerability tracked as CVE-2022-28799, which could have enabled threat actors to hijack accounts, view and publicise private TikToks, send messages and upload new content.
This vulnerability existed in how TiKTok’s Android app handled a specific type of hyperlink, enabling Microsoft’s research team to bypass its link verification mechanism and sneak a malicious link into the WebView component that powers the in-app browser in TikTok.
Microsoft uncovered no evidence that CVE-2022-28799 was ever exploited.