TikTok security breach allowed attackers to leak personal information
TikTok security breach allowed attackers to leak personal information
The research group of cyber company Imperva uncovered a vulnerability, which has now been fixed, that could allow attackers to monitor users' activity on both mobile and desktop devices
A TikTok security breach allowed potential attackers to leak information about any user on the platform if they opened a link, Israeli cybersecurity company Imperva revealed on Wednesday.
According to the company’s research group, this vulnerability, which has now been fixed, was caused by a window message event handler that does not properly validate the message origin, providing attackers access to sensitive user information. The information included details of the device, details of the user, viewing history, search, viewing time, and more.
The security breach was discovered in the TikTok system that tracks user data. The weakness was caused by a lack of authentication both in receiving and sending internal messages in the system. After the security weakness was revealed, the company was contacted and after a short time the problem was fully resolved.
“This weakness is an excellent example of how privacy and security in social networks largely depend on the companies that provide the service,” said Nadav Avital, Director of threat research at Imperva. “Unsafe use of a function that depends on external input leaked personal information that could have been used by hackers for further attacks such as phishing, blackmail, or alternatively for attacks on devices of high-profile users. We appreciate the fact that Tiktok worked very seriously to fix the weakness.״
TikTok said in response: "Through our partnership with the security researchers at Imperva, we discovered and quickly fixed a vulnerability present in some older versions of the web app. We deeply thank the Imperva researchers for their efforts to help identify potential issues so we can swiftly resolve them."
