TikTok had serious flaws that could let hackers post on users' behalf; vulnerabilities now fixed

TikTok learned about the conclusions of Check Point’s research on 20 Nov and said it had fixed all of the vulnerabilities by 15 Dec.


TikTok, the smartphone app beloved by teenagers and used by hundreds of millions of people around the world, had serious vulnerabilities that would have allowed hackers to manipulate user data and reveal personal information, according to research published Wednesday by Check Point, a cybersecurity company in Israel.

The weaknesses would have allowed attackers to send TikTok users messages that carried malicious links. Once users clicked on the links, attackers would have been able to take control of their accounts, including uploading videos or gaining access to private videos. A separate flaw allowed Check Point researchers to retrieve personal information from TikTok user accounts through the company’s website.

“The vulnerabilities we found were all core to TikTok’s systems,” said Oded Vanunu, Check Point’s head of product vulnerability research.

TikTok learned about the conclusions of Check Point’s research on 20 Nov and said it had fixed all of the vulnerabilities by 15 Dec.

The app, whose parent company is based in Beijing, allows users to post short, creative videos, which can easily be shared on various apps.

 TikTok had serious flaws that could let hackers post on users behalf; vulnerabilities now fixed

TikTok was at one point the third-most downloaded app on the Play Store.

It has also become a target of lawmakers and regulators who are suspicious of Chinese technology. Several branches of the US military have barred personnel from having the app on government-issued smartphones. The vulnerabilities discovered by Check Point are likely to compound those concerns.

TikTok has exploded in popularity over the past two years, becoming a rare Chinese internet success story in the West. It has been downloaded more than 1.5 billion times, according to the data firm Sensor Tower.

But new apps like TikTok offer opportunities for hackers looking to target services that haven’t been tested through years of security research and real-world attacks. And many of its users are young and perhaps not mindful of security updates.

TikTok is committed to protecting user data,” said Luke Deshotels, the head of TikTok’s security team.

“Like many organisations, we encourage responsible security researchers to privately disclose zero-day vulnerabilities to us,” he added. “Before public disclosure, Check Point agreed that all reported issues were patched in the latest version of our app. We hope that this successful resolution will encourage future collaboration with security researchers.”

Ronen Bergman, Sheera Frenkel and Raymond Zhong c.2020 The New York Times Company

Find latest and upcoming tech gadgets online on Tech2 Gadgets. Get technology news, gadgets reviews & ratings. Popular gadgets including laptop, tablet and mobile specifications, features, prices, comparison.