The danger of the vulnerabilities – discovered by the company (Oversecured) for application security – in allowing a malicious application on the device itself to steal sensitive files, such as: session codes, from within the TikTok application.
It is reported that session tokens are small files that keep the user logged in without having to re-enter their passwords. But if these codes are stolen, it could give the attacker access to the user’s account without needing his password.
The malicious application would have to exploit the vulnerabilities to inject a malicious file into the vulnerable TikTok app. As soon as the user opens the application, the malicious file is run, allowing the malicious application to access and send the stolen session tokens to the attacker’s server silently in the background.
(Sergey Toshin – founder of Oversecured – told TechCrunch that: The malicious application can also compromise the permissions of the TikTok application, allowing it to access the Android device’s camera, microphone, and private data on the device, such as: photos, and videos. .
TikTok said it fixed the vulnerabilities earlier this year after being told by Oversecured.
A TikTok spokeswoman (Hillary McQuade) said: “As part of our ongoing efforts to build the industry’s most secure and secure platform, we are constantly working with third parties to find and fix errors.” She added, “While the errors in question may pose a risk, only if the user also downloads a malicious application on their Android device, have we fixed it.”
It is noteworthy that the news of the flaws comes in conjunction with a report by Reuters on Friday, which reported – citing three people familiar with it – that Beijing opposes the forced sale of Tik Tok operations in the United States by its Chinese owner ByteDance, and it prefers to close the short video application in the United States.
US officials criticized TikTok’s security and privacy, pointing to the possibility of sharing user data with Beijing. The company said: It will not comply with any request to share user data with the Chinese authorities.
Source: Arab portal