Investigators at cybersecurity agency Examine Level Analysis have found a vulnerability affecting the favored video-sharing platform TikTok that allowed menace actors to steal customers’ personal information.
The flaw, which has since been patched, raises questions on how a lot information customers can safely share with cell apps.
The safety flaw was recognized residing inside TikTok “Discover Mates” characteristic and enabled attackers to entry a few of the person’s profile particulars, together with their cellphone quantity, TikTok nickname, profile and avatar footage, distinctive person IDs, and sure profile settings.
Watch out what you share
Detailing the methodology employed to take advantage of the vulnerability, Examine Level defined that TikTok employs contact syncing to assist people discover different customers that they might know. Nevertheless, it was discovered that attackers might manipulate the sign-in course of, permitting them to add and sync contacts at scale, letting them construct up a database of customers and cellphone numbers that may very well be used for follow-up assaults.
After being knowledgeable of the vulnerability, TikTok developer ByteDance shortly issued a patch, making the app protected to make use of as soon as extra.
“Our major motivation was to discover the privateness of TikTok,” Oded Vanunu, Head of Merchandise Vulnerabilities Analysis at Examine Level, mentioned. “We had been curious to see if the TikTok platform may very well be used to realize entry to personal person information. We had been in a position to bypass a number of safety mechanisms of TikTok that led to privateness violation. The vulnerability might have allowed an attacker to construct a database of person particulars and their respective cellphone numbers. An attacker with that diploma of delicate info might carry out a spread of malicious actions, reminiscent of spear phishing or different legal actions.”
Nevertheless, this isn’t the primary time {that a} safety flaw has been discovered affecting TikTok. A 12 months in the past, Examine Level printed a research paper on one other set of vulnerabilities. Finally, the very best follow that customers can take, with any app, is to solely share as little info as potential.
