TikTok’s Tagging and Mention Settings Bypass: A Simple Business Logic Flaw

A couple of years ago, I discovered a significant privacy issue on TikTok related to the tagging and mention settings. At that time, TikTok allowed users to turn off tagging and mentions in their privacy settings — a key control designed to give users more control over their interactions.

However, despite these settings being turned off, it was still possible to tag or mention users. This meant that users could receive unwanted mentions or tags even after explicitly disabling them.

What Was the Issue?

The problem boiled down to a simple business logic flaw:

  • TikTok’s backend failed to properly enforce the “disable tagging/mention” setting.

  • Mentions and tags were allowed regardless of user preferences.

  • This violated users’ expectations of privacy and control on the platform.

Why It Mattered

For many users, privacy controls are critical. If someone chooses to disable mentions and tagging, they expect that choice to be respected to avoid harassment, spam, or unwanted attention. This loophole undermined that trust.

How It Was Fixed

After reporting the issue, TikTok addressed the bug and patched the flaw. Now, when users disable tagging or mentions, the platform correctly respects their settings.

Final Thoughts

This experience highlights how even small business logic issues in software can have a big impact on user privacy and trust. Platforms must rigorously enforce privacy preferences to maintain a safe and respectful environment for their communities.

I’m glad to see TikTok take user feedback seriously and improve their controls. It’s a reminder for all of us to keep pushing for better security and privacy online.


Comments

Post a Comment

Popular posts from this blog

🚨When an AI Search Engine Forgot Who It Was: A Bug Report That Changed Perplexity AI’s Identity

Image
 Back on March 11, 2024 , I discovered something oddly off about how Perplexity AI saw itself. I had just downloaded the newly launched Perplexity Chrome extension , even though I’d been using the mobile app long before that. Just for fun, I asked the most basic, yet revealing question imaginable: “Are you better than Google?” It seemed like the perfect litmus test for a product that claims to reinvent search. But to my surprise, the response had nothing to do with Perplexity. Instead, it launched into a comparison between ChatGPT and Google. I was stunned - this wasn’t a chatbot; this was Perplexity, a search engine. Why was it talking like it was just a wrapper for OpenAI? Curious (and confused), I switched to the app version and asked the same question. The response was identical: Perplexity was still comparing ChatGPT to Google, completely ignoring its own identity in the process. That’s when it hit me - this wasn’t just a UX quirk; it was a core product logic bug . It wasn...
Read more

When Two-Factor Authentication Becomes Too Easy: A Surprising Instagram Security Flaw

Two-factor authentication (2FA) is supposed to be a cornerstone of digital security. It’s that extra lock on the door — a way to prove you’re really you, not just someone with your password. But what happens if that lock can be turned on silently, without your knowledge? While testing Instagram’s multi-account feature on their mobile app, I discovered a surprising and concerning flaw: when creating a second Instagram account using the same Gmail address within the app, the system automatically enables SMS-based 2FA on the new account without any verification . Yes, you read that right — no SMS code, no confirmation, nothing. How This Happens Imagine you’re logged into Instagram Account A, which already has two-factor authentication enabled with your verified phone number. From there, you use Instagram’s “Add Account” → “Create New Account” option and register a second account, Account B, with the same Gmail . When you try to enable 2FA via text message on Account B, Instagram doesn’...
Read more

Privacy Settings Bypassed: Hidden Likes Still Visible Through Facebook Reels

Facebook allows users to control who can see the number of likes on their posts. For those who prefer privacy, there’s an option to make likes visible only to themselves — a simple setting designed to keep that engagement private. But here’s the catch: despite this privacy setting, a surprising loophole exists. Likes that are hidden on the post itself can still be viewed by others through the Reels feature . This inconsistency creates an unintended privacy gap, potentially exposing user engagement data that was meant to stay private. What’s Happening? Users who choose “Only Me” for like visibility expect that no one else can see their like counts on posts. While Facebook respects this setting on the main post, the same setting is not enforced in Reels. When others view the Reel related to the post, they can see the total likes — completely bypassing the user’s privacy preferences. Why This Is a Problem Privacy settings are fundamental to user trust. If a user takes the time to hi...
Read more