TikTok has fixed four security bugs in its Android app that could have led to the hijacking of user accounts.
The vulnerabilities, discovered by app security startup Oversecured, could have allowed a malicious app on the same device to steal sensitive files, like session tokens, from inside the TikTok app. Session tokens are small files that keep the user logged in without having to re-enter their passwords. But if stolen, these tokens can give an attacker access to a user’s account without needing their password.
The malicious app would have to exploit the vulnerabilities to inject a malicious file into the vulnerable TikTok app. Once the user opens the app, the malicious file is triggered, letting the malicious app access and send stolen session tokens to the attacker’s server silently in the background.
Sergey Toshin, founder of Oversecured, told TechCrunch, that the malicious app could also hijack TikTok’s app permissions, allowing it access to the Android device’s camera, microphone and private data on the device, like photos and videos.
Oversecured published technical details of the bugs on its website.
TikTok said it fixed the bugs earlier this year after Oversecured reported the vulnerabilities.
“As part of our ongoing efforts to build the safest and most secure platform in the industry, we constantly work with third parties to find and fix bugs,” said TikTok spokesperson Hilary McQuaide. “While the bugs in question would only pose a risk if a user had also downloaded a malicious application onto their Android device, we have fixed them. We appreciate the researcher reporting this issue to us so that we could fix it, and we encourage all of our users to download the latest version of the app.”
News of the bugs come just days before an anticipated ban on TikTok is set to take effect. The Trump administration declared the video-sharing app a threat to national security earlier this year over its ties to China.
ByteDance, the Beijing-headquartered parent company of TikTok, has denied the claims, and sued the federal government to challenge the allegations.
TikTok, which is not accessible in China, said it had “never provided user data to the Chinese government, nor would we do so if asked.”