TikTok has once again made it to the news owing to security flaws. This time, the vulnerabilities affect the TikTok Android app. Exploiting the bugs could allow stealing files from the target device.
TikTok Android App Vulnerabilities
Researchers from the mobile app security service Oversecured have found multiple vulnerabilities in the TikTok Android app.
Describing the details in a blog post, the researchers explained that they found four high-severity flaws in the app.
Briefly, one of these vulnerabilities could let an attacker steal arbitrary files from the device. The flaw affected the com.ss.android.ugc.aweme.livewallpaper.ui.LiveWallPaperPreviewActivity. Exploiting the flaw required user interaction and could give read-only access to arbitrary files. As stated in the post,
An attacker could therefore gain access to any files stored in the app’s private directory, and also to history, private messages, and session tokens, resulting in complete access to the user’s account.
Whereas, the other three could allow the adversary for arbitrary code execution. These vulnerabilities affected three separate libraries that could load into an app via a malicious app. The library could then persist even after an app was deleted.
Hence, the attacker could then exploit it to execute arbitrary codes.
An attacker could do the same things that the TikTok app could based on its permissions: access user pictures and videos stored on the device, audio records and web browser downloads, record audio and video from the user’s microphone and camera without consent when the app is in use, and read contacts. All the data obtained could have been sent to the attacker’s server in the background without the user knowing, and then analyzed.
The researchers have shared the PoC for all exploits in their post.
TikTok Patched The Bugs Already
Upon discovering the flaws, Oversecured reach out to TikTok and shared the PoC with them. The researchers discovered the bugs earlier this year, and following their report, they patched all the flaws.
Quoting a TikTok spokesperson, Threatpost has shared the following statement from the vendors,
While the bugs in question would only pose a risk if a user had also downloaded a malicious application onto their Android device, we have fixed them. We appreciate the researcher reporting this issue to us so that we could fix it, and we encourage all of our users to download the latest version of the app.
Hence, the users are safe from any potential issues that may arise by exploiting these bugs. Nonetheless, all Android TikTok users should ensure that they have the latest app versions running on their devices.
Let us know your thoughts in the comments.