TikTok’s Tagging and Mention Settings Bypass: A Simple Business Logic Flaw

TikTok is one of the fastest-growing social media platforms, popular especially among young users for short-form videos and creative content. As a user and tester of the app, I’m aware that privacy controls are important features for managing interactions and keeping unwanted attention at bay.

A couple of years ago, I discovered a serious privacy issue related to TikTok’s tagging and mention settings. The app provided a way for users to disable tagging and mentions in their privacy preferences — a key control designed to help people avoid harassment, spam, or unwanted notifications. However, I found that even when these settings were turned off, it was still possible for other users to tag or mention someone, completely bypassing the privacy control.

Description of the Issue

The root cause of this problem was a business logic flaw in TikTok’s backend systems. Although the app’s user interface offered the option to disable tags and mentions, the backend did not enforce this restriction effectively.

This meant:

  • Users who disabled tagging and mentions could still be tagged or mentioned by others.

  • The platform did not check user preferences before processing tags and mentions.

  • As a result, the privacy setting appeared to have no effect, violating user expectations.

I confirmed that this was not a one-time error but a consistent behavior affecting all users who chose to disable these features.

Steps to Reproduce the Issue

  1. Log into TikTok and open the app’s privacy settings.

  2. Locate the option to disable tagging and mentions, and switch it off.

  3. From another TikTok account, attempt to tag or mention the user who disabled these settings in a video or comment.

  4. Observe that the tag or mention is successful despite the privacy control.

  5. Repeat to verify the issue occurs every time the setting is turned off.

This simple test exposed that TikTok’s system did not honor the user’s choice and allowed tags and mentions regardless of the privacy setting.

Security and Privacy Impact

Though this issue did not expose user data directly, it caused significant privacy concerns:

  • User Control Violation: The fundamental purpose of privacy controls is to let users decide who can interact with them. Allowing tags and mentions despite disabling them breaches this trust.

  • Harassment and Spam Risks: Users trying to avoid unwanted attention could still be targeted through tags or mentions, exposing them to potential harassment or spam.

  • False Sense of Security: Users believed they had protected themselves by disabling tags and mentions, but the system’s failure gave them a false sense of privacy.

  • Potential for Abuse: Malicious users could exploit this loophole to harass others or spread misinformation using mentions.

Business Impact

This flaw, while technical and behind the scenes, could have wider consequences for TikTok:

  • User Trust Damage: Privacy is a growing concern worldwide, and failing to enforce settings can erode user confidence in the platform.

  • Increased Support Burden: Users facing unwanted tags might contact support for help, increasing operational costs.

  • Compliance Risks: Privacy regulations in some regions require platforms to respect user settings; non-compliance could invite legal scrutiny.

  • Reputation Impact: Reports of privacy failures can harm TikTok’s public image, especially among younger, privacy-conscious users.

Resolution

After I reported the issue, TikTok’s engineering team acknowledged the problem and released a fix. Now, when users disable tagging and mentions, the system properly enforces those settings, preventing unwanted tags or mentions from others.

This fix restored user control and helped improve the platform’s privacy protections.

Conclusion

From this experience, I learned how even a small business logic error in a complex app like TikTok can have a big impact on privacy and user trust. It showed me the importance of thorough backend enforcement to complement user interface settings.

While the bug has been fixed, it highlights how platforms must continuously test and improve their systems to protect users’ privacy preferences. I’m encouraged to see TikTok respond and take privacy seriously — a reminder that ongoing vigilance is key to safer, more respectful online communities.



Comments

Post a Comment

Popular posts from this blog

When an AI Search Engine Forgot Who It Was: A Bug Report That Changed Perplexity AI’s Identity

Image
 Back on March 11, 2024 , I discovered something oddly off about how Perplexity AI saw itself. I had just downloaded the newly launched Perplexity Chrome extension , even though I’d been using the mobile app long before that. Just for fun, I asked the most basic, yet revealing question imaginable: “Are you better than Google?” It seemed like the perfect litmus test for a product that claims to reinvent search. But to my surprise, the response had nothing to do with Perplexity. Instead, it launched into a comparison between ChatGPT and Google. I was stunned - this wasn’t a chatbot; this was Perplexity, a search engine. Why was it talking like it was just a wrapper for OpenAI? Curious (and confused), I switched to the app version and asked the same question. The response was identical: Perplexity was still comparing ChatGPT to Google, completely ignoring its own identity in the process. That’s when it hit me - this wasn’t just a UX quirk; it was a core product logic bug . It wasn...
Read more

Understanding Android’s One-Time Permissions and Their Privacy Implications

I recently came across something unusual in Android’s one-time permission system — something that doesn’t quite match the way it’s described in the official documentation. This is related to the permissions we often see when an app asks for access to sensitive resources like the microphone or camera with the setting “Ask every time.” According to Android’s official documentation, one-time permissions should work like this: When the app is visible and in use, it can access the requested resource. If the app is sent to the background, it may still access the resource briefly. If the app is completely closed — either by swiping it away or force stopping it — the permission is revoked immediately. That means, in theory, if I close an app after granting it one-time access, it should ask me again the next time it needs that permission. What I Found While testing, I discovered that Android doesn’t always revoke these permissions instantly when the app is closed. Instead, if ...
Read more

I Accidentally Gained Admin Access to a LinkedIn Company Page - No Verification Needed

I’ve been using LinkedIn for years as a way to connect with professionals, follow companies, and share my work. It’s a platform trusted by millions for networking and recruitment. Company pages are especially important — they act as the official voice of an organization, showing job listings, updates, and brand presence. Recently, while casually browsing LinkedIn, I stumbled upon something that made me stop and rethink how secure this feature really is. I found that it’s possible to take full administrative control of certain company pages without any verification at all. No company email, no proof of employment, no review by HR or LinkedIn — just instant access. How I Discovered It It all started with a LinkedIn post about a drone technology company. Out of curiosity, I clicked through to see their LinkedIn profile. The page didn’t look like the usual auto-generated company pages LinkedIn creates when several employees list the same workplace. Instead, it looked like a manually create...
Read more