TikTok vulnerability left customers’ non-public data uncovered
TikTok addressed a vulnerability that could allow users to delete personal information.
Angela Lang / CNET
A security flaw identified in the popular TikTok video sharing app has resulted in users removing personal information from their profile, including their phone number and profile settings, security researchers at cybersecurity firm Check Point said Tuesday. This information could have been used to tamper with users’ account details and create a database of TikTok users for malicious activity, researchers said.
The bug in the app’s “Find Friends” feature also revealed users’ nicknames, profile and avatar images, and unique user IDs, according to Check Point. There is no evidence that the vulnerability was ever exploited, and the bug has reportedly been fixed.
Cut the chatter
Subscribe to CNET’s Mobile Newsletter for the latest phone news and reviews.
“An attacker with this level of sensitive information could engage in a variety of malicious activities, such as spear phishing or other criminal activity,” Check Point spokesman Ekram Ahmed said in a statement. “Our message to TikTok users is to share the basics when it comes to your personal information.”
TikTok made security and privacy a top priority in its community and thanked Check Point for raising awareness of the vulnerability.
“We are further strengthening our defenses by continuously improving our internal capabilities such as investments in automation protection measures as well as working with third parties,” a TikTok spokesman said in a statement.
TikTok, which operates outside of China but is owned by Chinese tech company ByteDance, has gotten into some controversy over the security of user data. A California user sued the company in 2019, claiming TikTok was sharing user data with the Chinese government. The U.S. Army banned service members from using the app on government phones after they originally used the service for recruiting.
It is also not the first TikTok vulnerability discovered by TikTok. Company researchers earlier this monthin the app which opened the door to a number of attacks on users including sending legitimate looking text messages with links to malicious software and editing videos stored on the service.