The vulnerability, which has now been patched, was the result of a window message event handler’s failure to accurately verify the message’s origin, providing attackers access to users’ sensitive data.
PostMessage API
The PostMessage API (also known as the HTML5 Web Messaging API) is a communication mechanism that permits safe cross-origin communication between several windows or iframes inside a web application. The API enables scripts from different origins to exchange messages, overcoming the restrictions the Same-Origin Policy imposes, that normally restricts data sharing between distinct sources on the web.
The API includes methods named window.postMessage() and an event message. The postMessage() method is used to send a message from the source window to the target window or iframe, while the message event is triggered on the receiving end when a new message is received. The team discovered a script in TikTok’s web application during the code analysis that seemed to be involved in user tracking.
The Imperva report states that “the first step in discovering the vulnerability was to identify all the message event handlers in TikTok’s web application. This involved a comprehensive analysis of the source code in
[…]
Content was cut in order to protect the source.Please visit the source for the rest of the article.
Read the original article: