About  Project Blog Resources

Resources

People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!

Tik or Tok? Is TikTok secure enough?- 130

Checkpoint ResearchPosted 6 Years Ago
  • This article has an interesting mix of web and mobile vulns that help each other out!
  • Most web APIs are being smarter about what is being sent client side because it is easier to see. This goes to show that reversing and effort into difficult targets will pay off! Simply tampering a parameter made it possible to send a text message to any user as TikTok.
  • My main takeaway was the intent hijacking via the custom TikTok URI. By sending a link, to a user with the custom URI, they could direct users to different intents on the mobile device (even going to the browser!). This could then be used as a CSRF vulnerability. Super interesting CSRF bug!
  • Finally, there was a Same Origin Policy (SOP) policy bypass that was really interesting. The SOP enforces that website A cannot return data from website B, even though the cookies are automatically sent with the request. However, for some reason, JSONP and does not follow the SOP. By abusing the JSONP requests, it was possible to bypass SOP altogether.

Maxwell DulinEmail me!TwitterGithubAdminBlog RSS FeedResources RSS Feed