Home / Android / TikTok fixes Android bugs that could have led to account hijacks

TikTok fixes Android bugs that could have led to account hijacks


TikTok has fixed four security bugs in its Android app that could have led to the hijacking of user accounts.

The vulnerabilities, discovered by app security startup Oversecured, could have allowed a malicious app on the same device to steal sensitive files, like session tokens, from inside the TikTok app. Session tokens are small files that keep the user logged in without having to re-enter their passwords. But if stolen, these tokens can give an attacker access to a user’s account without needing their password.

The malicious app would have to exploit the vulnerabilities to inject a malicious file into the vulnerable TikTok app. Once the user opens the app, the malicious file is triggered, letting the malicious app access and send stolen session tokens to the attacker’s server silently in the background.

Sergey Toshin, founder of Oversecured, told TechCrunch, that the malicious app could also hijack TikTok’s app permissions, allowing it access to the Android device’s camera, microphone and private data on the device, like photos and videos.

Oversecured published technical details of the bugs on its website.

TikTok said it fixed the bugs earlier this year after Oversecured reported the vulnerabilities.

Advertisements

“As part of our ongoing efforts to build the safest and most secure platform in the industry, we constantly work with third parties to find and fix bugs,” said TikTok spokesperson Hilary McQuaide. “While the bugs in question would only pose a risk if a user had also downloaded a malicious application onto their Android device, we have fixed them. We appreciate the researcher reporting this issue to us so that we could fix it, and we encourage all of our users to download the latest version of the app.”

News of the bugs come just days before an anticipated ban on TikTok is set to take effect. The Trump administration declared the video-sharing app a threat to national security earlier this year over its ties to China.

ByteDance, the Beijing-headquartered parent company of TikTok, has denied the claims, and sued the federal government to challenge the allegations.

TikTok, which is not accessible in China, said it had “never provided user data to the Chinese government, nor would we do so if asked.”





Source link

Advertisements

About admin

I'm a 50 year old PLC programmer from Burnley, UK. I severed my time as an electrician in the baking industry and soon got involved with the up and coming technology of PLC's. Initially this was all based in the Uk but as the years went by I have gradually worked my way around the globe. At first it was mainly Mitsubishi with a bit of Modicon thrown in but these days the industry leaders seem to be the Allen Bradley range of PLC and HMI’s.

Check Also

Yubico unveils its latest YubiKey 5C NFC security key, priced at $55

Advertisements Yubico, a maker of hardware security keys, has unveiled its newest YubiKey 5C NFC, ...

Leave a Reply

Your email address will not be published. Required fields are marked *

Advertisements