Technology
TikTok fixes a number of ugly security flaws
It’s nice when an online service promptly fixes security flaws. But sometimes the bugs themselves are so egregious that you have to wonder what other dangers lurk in that code.
Case in point: video sharing app TikTok.
Security company Check Point Research found a number of security issues in the TikTok app and on its website, potentially allowing an attacker to control someone else’s account, delete their videos, upload unauthorized videos, make private videos public and reveal a user’s personal information, including their private email address.
TikTok being one of the most popular apps out there, this would be pretty bad. But, again, it’s the amount and the type of bugs found that’s more worrying.
One issue allowed bad actors to send an SMS message to any phone number in the name of TikTok. Basically, with some fairly simple code tweaking, an attacker could’ve sent an SMS of the type: “Please download this urgent update,” with a link leading to a malicious app, and have the SMS actually arrive from TikTok. Ugh.
A different bug allowed an attacker to execute JavaScript code on behalf of the victim, and combining the two bugs allowed an attacker to perform actions on the victim’s account without consent.
There were other bugs, and some required a fair amount of technical knowledge to exploit, but line them up and it feels like TikTok’s security is, overall, more than a little sloppy.
“Before public disclosure, Check Point agreed that all reported issues were patched in the latest version of our app. We hope that this successful resolution will encourage further collaboration with security researchers,” TikTok told BBC in a statement.
The company said there’s no indication that an attacker actually exploited any of these bugs prior to this disclosure.
TikTok made headlines last year when its owner, China’s ByteDance, was fined by the FTC for illegally collecting children’s data. The app was banned by the U.S. army due to cybersecurity concerns, and it’s under investigation in the EU for how it handles children’s data.
-
Entertainment7 days ago
‘Mufasa: The Lion King’ review: Can Barry Jenkins break the Disney machine?
-
Entertainment6 days ago
OpenAI’s plan to make ChatGPT the ‘everything app’ has never been more clear
-
Entertainment5 days ago
‘The Last Showgirl’ review: Pamela Anderson leads a shattering ensemble as an aging burlesque entertainer
-
Entertainment6 days ago
How to watch NFL Christmas Gameday and Beyoncé halftime
-
Entertainment5 days ago
Polyamorous influencer breakups: What happens when hypervisible relationships end
-
Entertainment4 days ago
‘The Room Next Door’ review: Tilda Swinton and Julianne Moore are magnificent
-
Entertainment3 days ago
‘The Wild Robot’ and ‘Flow’ are quietly revolutionary climate change films
-
Entertainment4 days ago
CES 2025 preview: What to expect