top of page
Search
  • Writer's pictureDavid Manion

TikTok Has an Abundance of Security Flaws Leaving User Data Wide Open


Popular social media platform, Tiktok, has been discovered to have a massive vulnerability that could easily enable attackers to track users’ activity on both mobile and desktop devices allowing them access to sensitive data that could be used to execute attacks such as blackmail and identity theft.





Imperva Discovers a TikTok Vulnerability

Threat research by Imperva, a cybersecurity research firm, revealed a weakness in a window message event handler within TikTok’s code that fails to properly check the message origin providing an avenue for attackers to access private user data.


According to the company, message event handlers are the source of vulnerability in many web applications that are often overlooked despite the fact that they handle inputs from external sources.


In the case of TikTok, the message handler was found everywhere the PostMessage API, which is a communication mechanism that enables secure cross-origin communication between a source and target window, was used.


Upon further investigation, Imperva found that through the PostMessage API, the attackers might send a malicious message to the TikTok web application that would get past any security precautions. After processing the message, it was automatically deemed as secure and the message event handler would provide the attacker with access to the crucial data.


By taking advantage of the flaw, attackers would access information on the user’s device including the device type, operating system, browser, etc. as well as the history of videos watched.


The attackers would also learn of the amount of time spent watching each video, user account information such as usernames, videos, and other account details, and what the user searched for on the platform.


“This weakness is an excellent example of how privacy and security in social networks largely depend on the companies that provide the service,” said Nadav Avital, Director of threat research at Imperva.


“Unsafe use of a function that depends on external input leaked personal information that could have been used by hackers for further attacks such as phishing, blackmail, or alternatively for attacks on devices of high-profile users,” he said.


It is important to note that Imperva promptly notified TikTok which then quickly fixed the vulnerability hence the event handler is no longer a threat to the app’s users.


TikTok said,” Through our partnership with the security researchers at Imperva, we discovered and quickly fixed a vulnerability present in some older versions of the web app. We deeply thank the Imperva researchers for their efforts to help identify potential issues so we can swiftly resolve them.”


TikTok continues to face scrutiny over data privacy concerns

Although the vulnerability has been fixed, surprisingly without incident, it is the latest in a long line of data privacy concerns that have led to increased scrutiny of TikTok worldwide. TikTok has been in the spotlight for months for concerns surrounding the safety of users’ data.

This has resulted in many countries including Australia, France, Netherlands, Norway, and Denmark among others banning the app from use by its citizens.


The app which was developed by a Chinese tech company, ByteDance, boasts over 1.5 billion users across the world of which over 150 million are located in the US only. While most of the concerns are related to its links to the parent company, the app itself is not void of cybersecurity concerns.


Last autumn, a vulnerability identified as CVE-2022-28799, which might have allowed threat actors to hijack accounts, watch and share private TikTok videos, send messages, and upload new content, was disclosed by Microsoft.


Due to a flaw in the way TikTok’s Android app handled a certain kind of hyperlink, Microsoft’s research team was able to get around the link verification system and insert a malicious link directly into the WebView component, which runs the in-app browser in TikTok.


Disclaimer: This article is provided for informational purposes only. It is not offered or intended to be used as legal, tax, investment, financial, or other advice.

Comments


bottom of page