Israel-based security research firm Check Point says it found multiple severe loopholes within short-form video app, TikTok that could have potentially allowed hackers to take over users’ accounts, access their private data, and upload videos on their behalf. The vulnerability made it possible for intruders to masquerade as TikTok and send official text messages with malicious links.
The vulnerabilities have been patched since November when Check Point discovered them and warned TikTok through server-side changes as well as app updates. Therefore, if you haven’t updated TikTok in a while, head over to the app store and do so immediately.
“TikTok is committed to protecting user data. Like many organizations, we encourage responsible security researchers to privately disclose zero-day vulnerabilities to us. Before public disclosure, Check Point agreed that all reported issues were patched in the latest version of our app. We hope that this successful resolution will encourage future collaboration with security researchers,” said Luke Deshotels, a member of TikTok’s team of security researchers, in a statement.
The bug originated from the download link request feature on TikTok’s website. But due to a programming oversight, hackers could tap into the company’s official SMS channel, and instead of the download link, forward users a malicious one. When someone clicked on it, they would unknowingly end up ceding access to a range of sensitive sections of their TikTok account. Once in, the hacker could upload videos, make private posts public, delete files, view personal information such as email addresses, and more.
That’s not all. Check Point was able to unearth another security loophole which could have let hackers gain access to TikTok’s database of millions of users by inserting a piece of malicious code inside the official website. The firm’s researchers, through this, managed to retrieve accounts’ private data including their names and birth dates.
TikTok claims it hasn’t found any affected users or instances of abuse yet.
In a little over two years, TikTok has rapidly accumulated over a billion users and downloads across the globe. However, the social network has come under lawmakers’ crosshairs in the United States primarily due to its Chinese roots. Privacy vulnerabilities such as this one could end up compounding those concerns further.
To combat the increased scrutiny, TikTok’s parent company, ByteDance has mulled setting up a headquarters outside of China. A recent Bloomberg report also said that ByteDance may be considering letting go of TikTok altogether or sell a majority stake to put an end to the growing concerns.