A TikTok security breach allowed potential attackers to leak information about any user on the platform if they opened a link, Israeli cybersecurity company Imperva revealed on Wednesday.
According to the company’s research group, this vulnerability, which has now been fixed, was caused by a window message event handler that does not properly validate the message origin, providing attackers access to sensitive user information. The information included details of the device, details of the user, viewing history, search, viewing time, and more.
The security breach was discovered in the TikTok system that tracks user data. The weakness was caused by a lack of authentication both in receiving and sending internal messages in the system. After the security weakness was revealed, the company was contacted and after a short time the problem was fully resolved.
“This weakness is an excellent example of how privacy and security in social networks largely depend on the companies that provide the service,” said Nadav Avital, Director of threat research at Imperva. “Unsafe use of a function that depends on external input leaked personal information that could have been used by hackers for further attacks such as phishing, blackmail, or alternatively for attacks on devices of high-profile users. We appreciate the fact that Tiktok worked very seriously to fix the weakness.״
