Imperva cybersecurity researchers recently discovered a vulnerability in the widely used social media app TikTok. This flaw has the potential to allow attackers to extract sensitive data from targeted devices, exposing victims to identity theft, phishing, and blackmail.
The vulnerability, now rectified, resided in the app’s handling of incoming messages. The researchers explained that attackers could exploit this weakness by sending a malicious message via the TikTok web application using the PostMessage API, effectively bypassing existing security measures.
Upon receiving the message, the app’s event handler would process it and classify it as secure, thus granting the attacker access to valuable information.
By leveraging this vulnerability, malicious actors could acquire a wealth of valuable data. This includes user device information (such as device type, operating system, and browser), details about the videos viewed by the victim (including specific videos and the duration of each view), user account data (including usernames, videos, and other associated information), as well as search queries made on the app.
However, as mentioned earlier, the vulnerability has already been fixed. This is because the researchers were quick to inform TikTok about the security flaw before making the information public over safety concerns.
Regardless of any vulnerabilities, it is an understatement to say that TikTok is a controversial app. It has an alarming amount of data collection practices and the US government has been trying to get it banned for over a year, claiming that the Chinese government’s tight grip could allow them to force access to data at any given time.
