 |
| Tik Tok addresses a security vulnerability in an Android app that could be used to hack accounts |
Short video sharing service TikTok said: It is working on fixing four security holes in its Android app that could lead to hijacking of user accounts.
The threat to the application security vulnerability (excessive security protection) that the company discovered is that malicious applications on the device itself can steal sensitive files such as the session code on the TikTok app.
Reportedly, session tokens are small files that allow users to stay logged in without having to re-enter their passwords. However, if these codes are stolen, the attacker can access the user's account without the user's password.
Malicious apps must use these vulnerabilities to inject malicious files into vulnerable TikTok apps. Once the user opens the application, the malicious file is executed, allowing the malicious application to silently access the stolen session code in the background and send it to the attacker's server.
(Sergei Tuchin, founder of Oversecured, told TechCrunch that malicious apps can also compromise TikTok app permissions so that they can access the Android device's camera, microphone, and data on the device. Like photos and videos. "
TikTok said the vulnerability was fixed after being notified by Oversecured earlier this year.
TikTok spokeswoman (Hillary McCloyd) said: “As part of our ongoing effort to create the most secure platform in the industry, we worked with third parties to find and fix bugs.” Although the errors involved can only pose a risk if users download apps Harmful to their Android device, we have fixed these errors. "
It should be noted that the news of the violation was released on Friday by the Reuters report. Reuters reported on Friday that three people familiar with the matter said Beijing opposes the forced sale of Tik Tok business by Chinese owner ByteDance. Instead, short video apps in the US will be closed.
US officials have criticized TikTok's security and privacy, indicating that user data may be shared with Beijing. The company said: It will not meet any requirements for sharing user data with the Chinese authorities.