Tick tock has fixed four security holes in its Android app that could have led to the hijacking of user accounts.
The vulnerabilities discovered when App Security Oversecured was launched could have allowed a malicious app on the same device to steal sensitive files such as session tokens from within the TikTok app. Session tokens are small files that the user can stay logged in to without having to re-enter their passwords. If stolen, these tokens could give an attacker access to a user’s account without requiring a password.
The malicious app would have to exploit the security holes to insert a malicious file into the vulnerable TikTok app. Once the user opens the app, the malicious file is triggered, allowing the malicious app to access stolen session tokens in the background and send stolen session tokens to the attacker̵
Sergey Toshin, founder of Oversecured, told TechCrunch that the malicious app could also abuse TikTok’s app permissions and allow access to Android Camera, microphone, and the device’s private data such as photos and videos.
TikTok said it fixed the bugs earlier this year after Oversecured reported the vulnerabilities.
“As part of our ongoing efforts to build the most secure and secure platform in the industry, we are constantly working with third parties to find and fix bugs,” said Hilary McQuaide, spokeswoman for TikTok. “Although the bugs in question would only pose a risk if a user had downloaded a malicious application onto their Android device, we fixed them. We appreciate the researcher who reported this issue to us so we can fix it, and we encourage all of our users to download the latest version of the app. “
News of the bugs comes just days before an anticipated ban on TikTok goes into effect. The Trump administration declared the video-sharing app a national security threat earlier this year because of its ties to China.
ByteDance, TikTok’s parent company, headquartered in Beijing, has denied the claims and sued the federal government to challenge the allegations.
TikTok, which is inaccessible in China, said it “never provided user data to the Chinese government, nor would we if asked to.”