TikTok has fastened 4 safety bugs in its Android app that would have led to the hijacking of consumer accounts.
The vulnerabilities, found by app safety startup Oversecured, might have allowed a malicious app on the identical gadget to steal delicate information, like session tokens, from contained in the TikTok app. Session tokens are small information that hold the consumer logged in with out having to re-enter their passwords. But if stolen, these tokens can provide an attacker entry to a consumer’s account while not having their password.
The malicious app must exploit the vulnerabilities to inject a malicious file into the susceptible TikTok app. Once the consumer opens the app, the malicious file is triggered, letting the malicious app entry and ship stolen session tokens to the attacker’s server silently within the background.
Sergey Toshin, founding father of Oversecured, instructed TechCrunch, that the malicious app might additionally hijack TikTok’s app permissions, permitting it entry to the Android gadget’s digital camera, microphone and personal knowledge on the gadget, like photographs and movies.
Oversecured printed technical particulars of the bugs on its web site.
TikTok stated it fastened the bugs earlier this yr after Oversecured reported the vulnerabilities.
“As a part of our ongoing efforts to construct the most secure and most safe platform within the business, we continually work with third events to seek out and repair bugs,” stated TikTok spokesperson Hilary McQuaide. “While the bugs in query would solely pose a threat if a consumer had additionally downloaded a malicious software onto their Android gadget, we’ve got fastened them. We admire the researcher reporting this concern to us in order that we might repair it, and we encourage all of our customers to obtain the newest model of the app.”
News of the bugs come simply days earlier than an anticipated ban on TikTok is ready to take impact. The Trump administration declared the video-sharing app a risk to nationwide safety earlier this yr over its ties to China.
ByteDance, the Beijing-headquartered mum or dad firm of TikTok, has denied the claims, and sued the federal authorities to problem the allegations.
TikTok, which isn’t accessible in China, stated it had “by no means supplied consumer knowledge to the Chinese authorities, nor would we achieve this if requested.”
Android safety bug let malicious apps siphon off non-public consumer knowledge