The exploit involved sending a malicious message through the TikTok web application using the PostMessage API, evading security measures in place. Once the message was processed by the app’s event handler, the attacker could gain access to user data, including device details, viewed videos, time spent on each video, user account information, and search queries.
The discovery of this vulnerability adds to the ongoing concerns surrounding TikTok, which has faced scrutiny due to its Chinese ownership by ByteDance. With over 1.5 billion users worldwide, including millions in the United States, TikTok has faced accusations of potential privacy breaches and unauthorized access due to its association with the Chinese government.
