F-001 PoC — Tea SDK postMessage substring origin bypass

This page demonstrates that the Tea SDK collect.js postMessage handler accepts cross-origin messages from any origin whose string contains one of the allowlist substrings (e.g. https://data.bytedance.net). The page's own origin is shown below — it MUST start with https://data.bytedance.net. for the bypass to demonstrate.

This page's origin:

Log

What you should see if the bypass works

[send] sent postMessage with type=tea:openHeatMapCore to popup
[recv] message from https://developers.tiktok.com — data: {"type":"...","payload":"... ScriptloadSuccess"}

The smoking gun is the [recv] line: it means the TikTok page's collect.js handler accepted your message and called the registered handler, which then called fi(event.source, ...) to send a status postMessage back to your origin. That callback should never reach a non-TikTok origin under a correct strict-equality origin check.

Manual breakpoint check (recommended before claiming)

1. Open the target popup, F12 → Sources tab.
2. Find collect.js (Ctrl-P, filter "collect").
3. Pretty-print (the {} icon at the bottom).
4. Search for e.origin.indexOf(t)>-1 — set a breakpoint on that line.
5. Click "Send postMessage" on this page.
6. When the breakpoint fires, hover e.origin and t. Confirm e.origin === "https://data.bytedance.net.<yourdomain>.com", t === "https://data.bytedance.net", and the expression returns true.