Experts at a cybersecurity company Imperva discovered a vulnerability in the TikTok platform that allowed sensitive data to be stolen from users’ devices – it could be used to steal personal information, phishing or extortion. The vulnerability is now closed.
The vulnerability was based on the mechanism for processing incoming messages: the PostMessage API in TikTok allowed attackers to send malicious messages through the web version of the platform, which bypassed the protection system. The vulnerability could allow hackers to gain access to data about the user’s device (device type, operating system, browser), watched video history, account information, and search query history.
Now the vulnerability in TikTok has already been closed, but the number of complaints against the platform is not decreasing. The US Congress continues to push through a bill that could result in a full lockdown of the platform in the country, and numerous breaches have been identified at TikTok owner ByteDance’s data centers. But all this stream of negativity failed to deter advertisers – the platform’s popularity is too great.