TikTok - web app Sensitive Data Exposure Vulnerability

2025.01.05
ae Razi (AE) ae
Risk: Low
Local: No
Remote: Yes
CVE: N/A
CWE: N/A

## Titles: TikTok - web app Sensitive Data Exposure Vulnerability ## Author: Parastou Razi ##Contact: razi.parastoo@gmail.com ## Date: 2025-01-04 ## Vendor: https://www.tiktok.com/ ## Software: https://www.tiktok.com/ ## Reference: https://portswigger.net/support/using-burp-to-test-for-sensitive-data-exposure-issues ##Vulnerability Description: Web applications must manage various secrets such as API keys, database credentials and/or cryptographic secrets. These secrets must be kept private for security but sometimes they are leaked via JavaScript files, error messages, etc. [+]Proof: ##URL: https://www.tiktok.com/search/user ##Secrets: Google Cloud API Key: "firebase":"AIzaSyDHGqRfibWT6DffZBTYlhXfTQHAP_ri1MI"} ##Request GET /search/user?q= HTTP/1.1 Referer: https://www.tiktok.com/ Cookie: tt_csrf_token=GKz0rOeT-gFgg4tRvwzwH05eIkKMn4-G4pJc; ttwid=1%7CvMMAQQgsKe2rbkBo3QdDsLQveYLR7dZfykpzv2DuJs4%7C1735981300%7C2c7e2e46c58aeb29133d5039c30949ddde174897afd139c2c952fd80ddea99bf; tt_chain_token=B+X+xhDtW6LGhygwyBCH9w== Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Encoding: gzip,deflate,br User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Host: www.tiktok.com Connection: Keep-alive

References:

https://portswigger.net/support/using-burp-to-test-for-sensitive-data-exposure-issues


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2025, cxsecurity.com

 

Back to Top