Technology
TikTok fixes a number of ugly security flaws
It’s nice when an online service promptly fixes security flaws. But sometimes the bugs themselves are so egregious that you have to wonder what other dangers lurk in that code.
Case in point: video sharing app TikTok.
Security company Check Point Research found a number of security issues in the TikTok app and on its website, potentially allowing an attacker to control someone else’s account, delete their videos, upload unauthorized videos, make private videos public and reveal a user’s personal information, including their private email address.
TikTok being one of the most popular apps out there, this would be pretty bad. But, again, it’s the amount and the type of bugs found that’s more worrying.
One issue allowed bad actors to send an SMS message to any phone number in the name of TikTok. Basically, with some fairly simple code tweaking, an attacker could’ve sent an SMS of the type: “Please download this urgent update,” with a link leading to a malicious app, and have the SMS actually arrive from TikTok. Ugh.
A different bug allowed an attacker to execute JavaScript code on behalf of the victim, and combining the two bugs allowed an attacker to perform actions on the victim’s account without consent.
There were other bugs, and some required a fair amount of technical knowledge to exploit, but line them up and it feels like TikTok’s security is, overall, more than a little sloppy.
“Before public disclosure, Check Point agreed that all reported issues were patched in the latest version of our app. We hope that this successful resolution will encourage further collaboration with security researchers,” TikTok told BBC in a statement.
The company said there’s no indication that an attacker actually exploited any of these bugs prior to this disclosure.
TikTok made headlines last year when its owner, China’s ByteDance, was fined by the FTC for illegally collecting children’s data. The app was banned by the U.S. army due to cybersecurity concerns, and it’s under investigation in the EU for how it handles children’s data.
-
Business7 days ago
This camera trades pictures for AI poetry
-
Business6 days ago
TikTok Shop expands its secondhand luxury fashion offering to the UK
-
Business7 days ago
Boston Dynamics unveils a new robot, controversy over MKBHD, and layoffs at Tesla
-
Business5 days ago
Mood.camera is an iOS app that feels like using a retro analog camera
-
Business5 days ago
UnitedHealth says Change hackers stole health data on ‘substantial proportion of people in America’
-
Business4 days ago
Tesla’s new growth plan is centered around mysterious cheaper models
-
Entertainment5 days ago
Furious Watcher fans are blasting it as ‘greedy’ over paid subscription service
-
Business4 days ago
Two widow founders launch DayNew, a social platform for people dealing with grief and trauma