According to foreign media techcrunch,Tiktok has fixed four security vulnerabilities in its android app that could lead to user account hijacking.Oversecure, an application security startup company, has discovered these vulnerabilities, which may allow malicious applications on the same device to steal sensitive files such as session tokens from within tiktok applications. Session tokens are small files that allow users to log in without entering a password. If stolen, these tokens can allow attackers to access the user's account without a password.
The malicious application will use this vulnerability to inject a malicious file into the tiktok application. Once the user opens the application, the malicious file will be triggered, so that the malicious application can access and send the stolen session token to the attacker's server silently in the background.
Sergey Toshin, founder of oversecure, told techcrunch that the malicious app could also hijack tiktok's application rights and allow it to access Android device's cameras, microphones and personal data such as photos and videos on the device. The company posted technical details about the vulnerability on its website.
Tiktok said they fixed the vulnerabilities earlier this year after oversecure reported them.