Recently, cybersecurity researchers from Imperva identified a critical security flaw in the highly popular social media app TikTok. This vulnerability could have allowed threat actors to access sensitive user data from their devices, potentially resulting in identity theft, phishing, or blackmail attacks involving TikTok’s security.
Data at risk
The vulnerability has since been fixed, but it raises concerns about the app’s overall security. It was found in how TikTok managed incoming messages. Attackers could send a malicious message to the web application via the PostMessage API, bypassing security measures. The message event handler would then process the message as secure, giving the attacker access to valuable information.
By exploiting the vulnerability, attackers could access a wealth of data, including user device information (device type, operating system, browser), videos viewed, time spent on each video, user account data (usernames, videos, other account details), and search queries.
TikTok’s controversial status
TikTok, a social media app developed by Chinese company ByteDance, has over 1.5 billion users worldwide, with more than 150 million in the U.S. alone. Recently, the app’s security has been questioned by the U.S. government, which alleges that the Chinese government could potentially exert control over these companies, forcing them to allow unauthorized backdoor access to sensitive user data.
In response to these concerns, the U.S. government has taken several actions against TikTok and other Chinese companies, such as banning Huawei from developing 5G infrastructure in the States. For TikTok, the government initially required the company to store all data within the U.S. and later instructed its employees to remove the app from government-issued devices due to national security concerns.
TikTok, as well as other Chinese companies, refutes any allegations of misconduct or participation in activities that compromise user security. However, this recently discovered security flaw emphasizes the need for users to remain cautious and vigilant while using the app and sharing personal information on the platform.
{{user}} {{datetime}}
{{text}}