Researchers from Imperva found a flaw in the popular social media app TikTok that could have let threat actors steal sensitive data from victim devices. This data could have been used for identity theft, phishing, or blackmail.
The bug, which has since been fixed, was found in how the app handled messages coming in. The researchers explained the method by saying that attackers could use the PostMessage API to send a malicious message to the TikTok web application, which would get past any security measures. Then, the message event handler would look at the message and decide that it was safe, giving the attacker access to the important information.
User account details
By taking advantage of the vulnerability, attackers could get access to a treasure trove of valuable data, such as user device data (device type, operating system, browser used, etc.), videos viewed, time spent on each video, user account data (usernames, videos, and other account details), and search queries (what the user searched for on the platform).
Even without the bugs, TikTok is, to put it mildly, a controversial app. It was made by a Chinese company called ByteDance, and more than 1.5 billion people use it. In the U.S. alone, there are more than 150 million users. The US government has recently started to look closely at and ban Chinese companies. They say that the Chinese government has a tight grip on them and could force them at any time to let unauthorized backdoor access.
Because of this, Huawei wasn’t allowed to build the 5G infrastructure in the United States. As for TikTok, the U.S. government first told the company to keep all of its data in the country and then recently told its employees to remove the app from government-issued devices, citing national security concerns. Like many other Chinese companies, TikTok is denying that it has done anything wrong.