TikTok has again another vulnerability that security experts from Imperva discovered, and this time, the vulnerability could enable threat actors to steal personal information from victims’ devices for use in identity theft attacks, phishing schemes, or extortion.
The vulnerability, which has been fixed, was found in the way the app handled incoming messages. The researchers further explained that threat actors could leverage the vulnerability by sending a malicious message to the TikTok web application through the PostMessage API, which will glide past any security measures. The message event handler will then process the message and deem it secure, granting the threat actor access to valuable information.
The wealth of information accessible by the attacker is not limited to the victims’ user device information (device type, operating system, browser, etc.), videos watched, the amount of time spent watching each video, user account information, and search queries.
Recall that TikTok is facing a ban in the United States over some privacy issues and the relationship between the social media platform owner ByteDance and the Chinese government. The United States government warns its security officers and government employees to desist from accessing the app with their working devices, and while TikTok must have fixed this issue, experts warn users to be on the lookout for possible loopholes.