As if the US Congress furor over alleged Chinese government control wasn’t bad enough, TikTok has been suffering from a technical vulnerability that may have exposed intimate user data, research has found.
Imperva’s cybersecurity testing team notified the ByteDance-owned platform of the bug, and to its credit, TikTok patched the flaw promptly.
But in the meantime, vital user data including device usage, internet browser and search query details, videos viewed, and personally identifiable information associated with individual TikTok accounts including usernames were all up for grabs to enterprising cybercriminals.
“This information can be used for malicious purposes such as targeted phishing attacks, identity theft, or blackmail,” said Imperva. “We would like to thank TikTok for their quick response and cooperation.”
The bug was caused by improper verification of online message origins due to a fault in the platform’s “message event handler.” This is designed to help increasingly complex apps cope with input from external sources. In this case, it seems to have gone awry.
“Based on our experience, these handlers are often overlooked as potential sources of security vulnerabilities, even though they handle input from external sources,” said Imperva.
“This disclosure serves as a reminder of the importance of proper message origin validation and the potential risks of allowing communication between domains without appropriate security measures.”
TikTok has a billion users worldwide, but could be set to lose 150 million of those based in the US if Congress votes in favor of a nationwide ban on the Chinese-owned app.
Advocates of a ban say the Communist Party of China could theoretically compel ByteDance to hand over any sensitive data about US citizens using its authoritarian rule.
More from Cybernews:
Subscribe to our newsletter