Technology
TikTok fixes a number of ugly security flaws
It’s nice when an online service promptly fixes security flaws. But sometimes the bugs themselves are so egregious that you have to wonder what other dangers lurk in that code.
Case in point: video sharing app TikTok.
Security company Check Point Research found a number of security issues in the TikTok app and on its website, potentially allowing an attacker to control someone else’s account, delete their videos, upload unauthorized videos, make private videos public and reveal a user’s personal information, including their private email address.
TikTok being one of the most popular apps out there, this would be pretty bad. But, again, it’s the amount and the type of bugs found that’s more worrying.
One issue allowed bad actors to send an SMS message to any phone number in the name of TikTok. Basically, with some fairly simple code tweaking, an attacker could’ve sent an SMS of the type: “Please download this urgent update,” with a link leading to a malicious app, and have the SMS actually arrive from TikTok. Ugh.
A different bug allowed an attacker to execute JavaScript code on behalf of the victim, and combining the two bugs allowed an attacker to perform actions on the victim’s account without consent.
There were other bugs, and some required a fair amount of technical knowledge to exploit, but line them up and it feels like TikTok’s security is, overall, more than a little sloppy.
“Before public disclosure, Check Point agreed that all reported issues were patched in the latest version of our app. We hope that this successful resolution will encourage further collaboration with security researchers,” TikTok told BBC in a statement.
The company said there’s no indication that an attacker actually exploited any of these bugs prior to this disclosure.
TikTok made headlines last year when its owner, China’s ByteDance, was fined by the FTC for illegally collecting children’s data. The app was banned by the U.S. army due to cybersecurity concerns, and it’s under investigation in the EU for how it handles children’s data.
What’s on the far side of the moon? Not darkness.
How Rubrik’s IPO paid off big for Greylock VC Asheem Chandna
Photo-sharing community EyeEm will license users’ photos to train AI if they don’t delete them
Thoma Bravo to take UK cybersecurity company Darktrace private in $5B deal
‘Challengers’ review: You’re not ready for Zendaya’s horny love-triangle drama
Summer Movie Preview: From ‘Alien’ and ‘Furiosa’ to ‘Deadpool and Wolverine’
Zomato’s quick commerce unit Blinkit eclipses core food business in value, says Goldman Sachs
Monsta X’s I.M on making music, gaming, and being called ‘zaddy’
Petlibro’s new smart refrigerated wet food feeder is what your cat deserves
The books on your favorite creators’ TBR shelf
API startup Noname Security nears $500M deal to sell itself to Akamai
US think tank Heritage Foundation hit by cyberattack
NASA discovered bacteria that wouldn’t die. Now it’s boosting sunscreen.
How to watch ‘Argylle’: When and where is it streaming?
Tesla drops prices, Meta confirms Llama 3 release, and Apple allows emulators in the App Store
Tesla layoffs hit high performers, some departments slashed, sources say
TechCrunch Mobility: Cruise robotaxis return and Ford’s BlueCruise comes under scrutiny
Meta to close Threads in Turkey to comply with injunction prohibiting data-sharing with Instagram
Former top SpaceX exec Tom Ochinero sets up new VC firm, filings reveal
Consumer Financial Protection Bureau fines BloomTech for false claims
What’s on the far side of the moon? Not darkness.
How Rubrik’s IPO paid off big for Greylock VC Asheem Chandna
Photo-sharing community EyeEm will license users’ photos to train AI if they don’t delete them
Thoma Bravo to take UK cybersecurity company Darktrace private in $5B deal
‘Challengers’ review: You’re not ready for Zendaya’s horny love-triangle drama
Summer Movie Preview: From ‘Alien’ and ‘Furiosa’ to ‘Deadpool and Wolverine’
Zomato’s quick commerce unit Blinkit eclipses core food business in value, says Goldman Sachs
Monsta X’s I.M on making music, gaming, and being called ‘zaddy’
Petlibro’s new smart refrigerated wet food feeder is what your cat deserves
The books on your favorite creators’ TBR shelf
-
Business7 days agoThis camera trades pictures for AI poetry
-
Business6 days agoTikTok Shop expands its secondhand luxury fashion offering to the UK
-
Business7 days agoBoston Dynamics unveils a new robot, controversy over MKBHD, and layoffs at Tesla
-
Business5 days agoMood.camera is an iOS app that feels like using a retro analog camera
-
Business5 days agoUnitedHealth says Change hackers stole health data on ‘substantial proportion of people in America’
-
Business4 days agoTesla’s new growth plan is centered around mysterious cheaper models
-
Entertainment5 days agoFurious Watcher fans are blasting it as ‘greedy’ over paid subscription service
-
Business4 days agoTwo widow founders launch DayNew, a social platform for people dealing with grief and trauma
