Flaw in popular video-sharing app left phone numbers and profile settings open to malicious activity.
TikTok has patched a vulnerability that left users open to having personal information scraped.
Angela Lang/CNET
A vulnerability identified in the popular video-sharing app TikTok exposed users to having personal information scraped from their profile, including their phone number and profile settings, security researchers at cybersecurity firm Check Point said Tuesday. That information could have been used to manipulate users' account details and build a database of TikTok users for malicious activity, researchers said.
The flaw in the app's Find Friends feature also exposed users' nicknames, profile and avatar pictures, and unique user IDs, Check Point said. There's no evidence that the vulnerability was ever exploited, and the flaw has reportedly been patched.
TikTok called security and privacy in its community its highest priority and thanked Check Point for bringing the vulnerability to its attention.
TikTok, which operates outside China but is owned by Chinese tech company ByteDance, has run into its share of controversy when it comes to the security of user data. A California user sued the company in 2019, alleging TikTok shares user data with the Chinese government. The US Army banned service members from using the app on government phones, after initially using the service for recruitment.
It's also not the first TikTok vulnerability discovered by TikTok. Earlier this month, researchers at the firm identified a series of software flaws in the app that opened the door to a range of attacks on users, including the sending of legitimate-looking text messages with links to malicious software and manipulating videos stored on the service.
Via cnet.com