Issue 66: Vulnerabilities in TikTok and InfiniteWP Client, AppSecCali 2020


This week, we check how several API vulnerabilities in TikTok can lead to attackers taking over the social media account, and how an admin plugin for WordPress had an API allowing for an authentication bypass. In other news, the OWASP security conference kicks off next week in California, and we take a look at API security trends in 2020.

Vulnerability: TikTok

Check Point Research has unearthed a chilling list of API vulnerabilities in TikTok, the highly popular social media app:

  • An exposed API allowed SMS spoofing, so attackers could contact any user on TikTok behalf with links to their malicious site.
  • Insufficient regex validation allowed redirects to attacker URLs, in turn opening the door to further attacks, such as Cross-Site Scripting (XSS), Cross-Site Request Forgery (CSRF).
  • No protection against CSRF allowed attackers to perform actions on user behalf, such as delete or add videos, make private videos public, access user profile information, and so forth.

Check Point Research describes all the exploits in their brilliantly detailed post. The good news is that TikTok has fixed them.

Vulnerability: InfiniteWP Client for WordPress

An API security vulnerability with authentication bypass was found in a popular InfiniteWP Client plugin. The plugin is installed on more than 300 thousand sites, so the impact is significant.

The plugin provides remote WordPress management capabilities. Thus, there are client and server components communicating with each other via API.

Typical API use requires authentication. However, there is one scenario – new site creation – for which admin access is temporarily granted via a POST API call with the payload {"iwp_action":"add_site","params":{"username":"admin"}}.

Attackers can use this call to gain access and thus bypass authentication checks for other activities.

This vulnerability is another example why web application firewalls (WAFs) are not sufficient for API vulnerabilities. As Wordfence post admits, there is no way to tell malicious calls apart from legitimate ones, so a simple firewall rule is not enough to fix the issue. They had to release a new update with specific functionality that can differentiate between legitimate and malicious use by analyzing WordPress internal state.

Conferences: AppSec California 2020

One of the main OWASP events of the year, OWASP AppSec California 2020, takes place next week, Jan 21-24, in Santa Monica, CA.

This is a great cybersecurity conference in general, and the program includes some API security sessions including:

  • Building Secure API’s and Web Applications by Jim Manico
  • Attacking and Defending Containerized Apps and Serverless Tech by Tilak Thimmappa and Nithin Jois
  • DevSecOps enabled micro-perimeter API protection by Lukasz Radosz
  • OAuth 2.0 Misimplementation, Vulnerabilities and Best Practices by Pak Foley
  • Achieve AI-powered API Privacy using Open Source by Gianluca Brigandi
  • JWT Parkour by Louis Nyffenegger
  • Are You Properly Using JWTs? by Dmitry Sotnikov

Registration is still open, so if you are around and interested, highly recommended.

Opinion: API security in 2020

Ericka Chickowski joins the choir of experts hailing API security as a top concern for cybersecurity in 2020.

In her write-up, Chickowski compiles the latest stats and trends related to API spread & API security, and also talks about the OWASP API Security Top 10 project.


Get API Security news directly in your Inbox.

By clicking Subscribe you agree to our Data Policy