Cybersecurity researchers from Imperva have uncovered a flaw in the popular social media app TikTok which could have allowed threat actors to exfiltrate sensitive data from victim devices to be used in identity theft attacks, phishing, or for blackmail.
The vulnerability, which has since been fixed, was found in the way the app handled incoming messages. Explaining the method, the researchers said the attackers could send a malicious message to the TikTok web application through the PostMessage API, which would glide past any security measures.
The message event handler would then process the message and deem it secure, granting the attacker access to the valuable information.
User account details
By exploiting the vulnerability, the attackers could gain access to a treasure trove of valuable data, such as user device data (device type, operating system, browser used, etc.), videos viewed (what videos the victim viewed), the time spent on each video, user account data (usernames, videos, other account details), search queries (what the user searched for on the platform).
Even without the vulnerabilities, TikTok is a controversial app, to put it mildly. It was built by a Chinese company called ByteDance, and has more than 1.5 billion users (more than 150 million in the U.S. alone).
Recently, the US government started scrutinizing and banning Chinese companies, claiming their government has a tight grip on them and could force them to allow for unauthorized backdoor access at any point.
Huawei was banned from developing the 5G infrastructure in the States, for that very reason. As for TikTok, the U.S. government first forced the company to store all of the data in the country, and then recently told its employees to remove the app from government-issued devices, citing matters of national security.
TikTok, much like many other Chinese companies, is denying any involvement in any wrongdoing.