TikTok leaked user data


As if the US Congress furor over alleged Chinese government control wasn’t bad enough, TikTok has been suffering from a technical vulnerability that may have exposed intimate user data, research has found.

Imperva’s cybersecurity testing team notified the ByteDance-owned platform of the bug, and to its credit, TikTok patched the flaw promptly.

But in the meantime, vital user data including device usage, internet browser and search query details, videos viewed, and personally identifiable information associated with individual TikTok accounts including usernames were all up for grabs to enterprising cybercriminals.

“This information can be used for malicious purposes such as targeted phishing attacks, identity theft, or blackmail,” said Imperva. “We would like to thank TikTok for their quick response and cooperation.”

The bug was caused by improper verification of online message origins due to a fault in the platform’s “message event handler.” This is designed to help increasingly complex apps cope with input from external sources. In this case, it seems to have gone awry.

“Based on our experience, these handlers are often overlooked as potential sources of security vulnerabilities, even though they handle input from external sources,” said Imperva.

“This disclosure serves as a reminder of the importance of proper message origin validation and the potential risks of allowing communication between domains without appropriate security measures.”

TikTok has a billion users worldwide, but could be set to lose 150 million of those based in the US if Congress votes in favor of a nationwide ban on the Chinese-owned app.

Advocates of a ban say the Communist Party of China could theoretically compel ByteDance to hand over any sensitive data about US citizens using its authoritarian rule.

Opponents say the move is nothing more than a cynical ploy by legislators to shore up American big tech players such as Google in a spiraling tech trade war between the US and China.


More from Cybernews:

Consumer behavior analysis giant Gfk violated privacy, says legal complaint

"Spiraling" Musk threatens to transfer NPR’s account to another company

PornHub blocked in Utah over new age verification law

US cop accused of using Genesis Market to illegally purchase stolen personal data

Chatbots churn out trash AI-generated material in content farms, researchers find

Subscribe to our newsletter



Leave a Reply

Your email address will not be published. Required fields are markedmarked