TikTok patches security flaw that could leave your activity open to anyone

TikTok on a phone in front of the USA flag
(Image credit: CFOTO/Future Publishing via Getty Images)

UPDATE - In response to our initial story, a TikTok spokesperson told TechRadar Pro, "Through our partnership with the security researchers at Imperva, we discovered and quickly fixed a vulnerability present in some older versions of the web app. We thank the Imperva researchers for their efforts to help identify potential issues so we can swiftly resolve them."

Cybersecurity researchers from Imperva have uncovered a flaw in the popular social media app TikTok which could have allowed threat actors to exfiltrate sensitive data from victim devices to be used in identity theft attacks, phishing, or for blackmail.

The vulnerability, which has since been fixed, was found in the way the app handled incoming messages. Explaining the method, the researchers said the attackers could send a malicious message to the TikTok web application through the PostMessage API, which would glide past any security measures. 

The message event handler would then process the message and deem it secure, granting the attacker access to the valuable information.

User account details

By exploiting the vulnerability, the attackers could gain access to a treasure trove of valuable data, such as user device data (device type, operating system, browser used, etc.), videos viewed (what videos the victim viewed), the time spent on each video, user account data (usernames, videos, other account details), search queries (what the user searched for on the platform).

Even without the vulnerabilities, TikTok is a controversial app, to put it mildly. It was built by a Chinese company called ByteDance, and has more than 1.5 billion users (more than 150 million in the U.S. alone). 

Recently, the US government started scrutinizing and banning Chinese companies, claiming their government has a tight grip on them and could force them to allow for unauthorized backdoor access at any point.

Huawei was banned from developing the 5G infrastructure in the States, for that very reason. As for TikTok, the U.S. government first forced the company to store all of the data in the country, and then recently told its employees to remove the app from government-issued devices, citing matters of national security. 

TikTok, much like many other Chinese companies, is denying any involvement in any wrongdoing. 

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.