Israeli security company, Check Point, announced that it found multiple security vulnerabilities (opens in new tab) in the popular Chinese TikTok application/social media site that allows mostly teenagers to create short clips of themselves and share them with friends.
The announcement comes a time when members of the U.S. Congress (opens in new tab) have warned that TikTok censors content the Chinese government doesn’t like, and that the Chinese government may have access to the app’s user data. The Pentagon has also warned its personnel to delete the app (opens in new tab), and some military branches have banned access to it on their networks. TikTok has so far denied all such allegations.
One vulnerability that Check Point researchers found would have allowed attackers to send forged messages to the app users that would have appeared to come from TikTok itself. Attackers could have benefited from this to send users malicious links containing malware that would then allow them to take control over users’ accounts, upload content in their names, and delete or even make private videos public.
According to Check Point, TikTok could also enable attackers to inject malicious content into trusted websites and then allow them to retrieve users’ personal information such as their name and date of birth. Check Point also discovered that one of the website’s features was to allow users to send themselves a SMS text in order to download the application. The researchers learned that they can use this functionality to also send malicious links to any user’s phone number.
The attackers could also use other vulnerabilities to silently follow a user without them knowing, and then gain the ability to see that user’s video IDs as well. Once they knew the video IDs, they can then use another vulnerability to make that private video public.
Check Point disclosed the bugs to TikTok on November 20 who fixed all of them by December 15.
Check Point sent a summary of its research to the U.S. Department of Homeland Security, according to the New York Times (opens in new tab). In February, last year, the Federal Trade Commission (FTC) filed a complaint against TikTok, saying it illegally collected personal information from minors. TikTok ended-up paying $5.7 million to settle the complaint.