Flaw in popular video-sharing app left phone numbers and profile settings open to malicious activity.
A vulnerability identified in the popular video-sharing app TikTok exposed users to having personal information scraped from their profile, including their phone number and profile settings, security researchers at cybersecurity firm Check Point said Tuesday. That information could have been used to manipulate users' account details and build a database of TikTok users for malicious activity, researchers said.
The flaw in the app's Find Friends feature also exposed users' nicknames, profile and avatar pictures, and unique user IDs, Check Point said. There's no evidence that the vulnerability was ever exploited, and the flaw has reportedly been patched.
"An attacker with that degree of sensitive information could perform a range of malicious activities, such as spear phishing or other criminal actions," Check Point spokesperson Ekram Ahmed said in a statement. "Our message to TikTok users is to share the bare minimum when it comes to your personal data."
TikTok called security and privacy in its community its highest priority and thanked Check Point for bringing the vulnerability to its attention.
"We continue to strengthen our defenses, both by constantly upgrading our internal capabilities such as investing in automation defenses, and also by working with third parties," a TikTok spokesperson said in a statement.
TikTok, which operates outside China but is owned by Chinese tech company ByteDance, has run into its share of controversy when it comes to the security of user data. A California user sued the company in 2019, alleging TikTok shares user data with the Chinese government. The US Army banned service members from using the app on government phones, after initially using the service for recruitment.
It's also not the first TikTok vulnerability discovered by TikTok. Earlier this month, researchers at the firm identified a series of software flaws in the app that opened the door to a range of attacks on users, including the sending of legitimate-looking text messages with links to malicious software and manipulating videos stored on the service.