TikTok, the short video sharing service, said: It fixed four security holes in its Android application, which could have led to the hijacking of user accounts.
The danger of the vulnerabilities - discovered by app security firm
Oversecured - in allowing a malicious application on the device itself to steal
sensitive files, such as session codes, from within the TikTok app.
It is reported that session tokens are small files that keep the user
logged in without having to re-enter their passwords. But if these codes are
stolen, it could give the attacker access to the user's account without needing
his password.
The malicious application would have to exploit the vulnerabilities
to inject a malicious file into the vulnerable TikTok app. As soon as the user
opens the application, the malicious file is run, allowing the malicious
application to access and send the stolen session tokens to the attacker's
server silently in the background.
Oversecured founder Sergey Toshin told TechCrunch that the malicious
application could also compromise the permissions of the TikTok app, allowing
it to access the Android device's camera, microphone, and private data on the
device, such as photos and videos.
TikTok said it fixed the vulnerabilities earlier this year after
being told by Oversecured.
“As part of our ongoing efforts to build the safest and most secure
platform in the industry, we are constantly working with third parties to find
and fix errors,” said TikTok spokeswoman (Hillary McQuade). “While the bugs in
question may only pose a risk if the user also downloads a malicious
application on their Android device, we have fixed them,” she added.
It is noteworthy that the news of the flaws comes in conjunction with
a report by Reuters on Friday, which reported - citing three people familiar
with it - that Beijing opposes the forced sale of TikTok operations in the
United States by its Chinese owner ByteDance, and it prefers to close the short
video application in the United States.
US officials criticized TikTok's security and privacy, pointing to the possibility of sharing user data with Beijing. The company said: It will not comply with any request to share user data with the Chinese authorities.
Dear readers, after reading the Content please ask for advice and to provide constructive feedback Please Write Relevant Comment with Polite Language.Your comments inspired me to continue blogging. Your opinion much more valuable to me. Thank you.