They were discovered in November last year and fixed in December.
What you need to know
- An Israeli cybersecurity firm found serious vulnerabilities in popular video app tikTok.
- They would have allowed hackers to manipulate user data and reveal personal information.
- TikTok was notified about the problems on November 20 last year and fixed them in December.
An Israeli cybersecurity firm found serious vulnerabilities in popular video app TikTok, that unchecked, could have allowed hackers to manipulate user data, expose personal information and send users malicious links.
According to a report from The New York Times:
TikTok, the smartphone app beloved by teenagers and used by hundreds of millions of people around the world, had serious vulnerabilities that would have allowed hackers to manipulate user data and reveal personal information, according to research published Wednesday by Check Point, a cybersecurity company in Israel.
The weaknesses would have allowed attackers to send TikTok users messages that carried malicious links. Once users clicked on the links, attackers would have been able to take control of their accounts, including uploading videos or gaining access to private videos. A separate flaw allowed Check Point researchers to retrieve personal information from TikTok user accounts through the company's website.
Check Point's head of product vulnerability research said:
"The vulnerabilities we found were all core to TikTok's systems."
According to the report, Check Point notified TikTok on November 20, and all the vulnerabilities were fixed by December 15. As is standard practice in these scenarios, cybersecurity firms and finders of bugs, exploits, and vulnerabilities usually remain silent until the developer has a chance to address the issues, to prevent knowledge of any such problems becoming widespread.
TikTok is already in the crosshairs of US lawmakers, in particular, because of concerns over its ties to China. The apparent discovery of massive, exploitable security flaws will probably not do wonders for its image. In a statement, TikTok head of security Luke Deshotels said:
"TikTok is committed to protecting user data… Like many organizations, we encourage responsible security researchers to privately disclose zero day vulnerabilities to us… Before public disclosure, Check Point agreed that all reported issues were patched in the latest version of our app. We hope that this successful resolution will encourage future collaboration with security researchers."
Mr. Deshotels further noted that there was no indication any customer records had been breached.
The report notes that younger, startup apps enjoying explosive growth often find themselves more vulnerable to security exploits. Another cybersecurity expert stated:
"I would expect these types of vulnerabilities in a company like TikTok, which is probably more focused on tremendous growth, and on building new features for their users, rather than security."
According to the report, one of the vulnerabilities reportedly allowed attackers to use a link in TikTok's messaging system, to send users messages that looked like they came from TikTok. They could send malware that would let them take control of accounts to upload content, delete videos and make private videos public. It is also reported that TikTok was vulnerable to attacks that inject malicious code into trusted websites and that Check Point researchers were able to retrieve users' personal information, including names and dates of birth.
As mentioned, Check Point has seemingly confirmed that all reported vulnerabilities have now been fixed by TikTok.