Information disclosure in ByteDance TikTok

Published: 2019-09-04 | Updated: 2020-08-15

Risk	Low
Patch available	YES
Number of vulnerabilities	1
CVE-ID	CVE-2019-14319
CWE-ID	CWE-200
Exploitation vector	Local network
Public exploit	N/A
Vulnerable software	TikTok Mobile applications / Apps for mobile phones
Vendor	ByteDance

Security Bulletin

This security bulletin contains one low risk vulnerability.

1) Information disclosure

EUVDB-ID: #VU20889

Risk: Low

CVSSv4.0: 1.3 [CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2019-14319

CWE-ID: CWE-200 - Exposure of sensitive information to an unauthorized actor

Exploit availability: No

Description

The vulnerability allows a remote attacker to gain access to potentially sensitive information.

The vulnerability exists due to the affected application performs unencrypted transmission of images, videos, and likes. An attacker on the same Wi-Fi network can extract private sensitive information by sniffing network traffic.

Mitigation

Install update from vendor's website.

Vulnerable software versions

TikTok: 12.2.0 - 12.8.0

CPE2.3

External links

https://github.com/MelroyB/CVE-2019-14319/blob/master/CVE%202019-14319%20.pdf

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the local network (LAN).

How the attacker can exploit this vulnerability?

The attacker would have to trick the victim to perform certain actions on the device.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.