Popular video-sharing app TikTok has revealed details of a new security flaw that could have allowed hackers to access and change user content and personal information.
The social-networking platform, which has over 1 billion users and is a favorite among teenagers worldwide, was found to have multiple serious vulnerabilities in November by cybersecurity firm Check Point Research (opens in new tab).
The flaws have since been patched, and TikTok says it has no evidence that the vulnerability was ever exploited, or that any breaches to user accounts occurred.
Check Point’s investigation found that attackers were able to send malicious links via SMS to users which appeared to be from TikTok, and if clicked, would exploit a flaw in the app that would allow hackers to delete users’ videos, upload unauthorized videos and make private videos public.
The security researchers also found a separate glitch in which hackers were able to retrieve personal information saved to the account, including private email addresses and payment information.
Check Point informed TikTok of its findings on November 20, and the company reported they had patched all the security flaws by December 15.
- US senators call for a probe into TikTok citing national security concerns
- TikTok owners announced a smartphone, could it be the best camera phone around?
- Google disables Xiaomi smart home integration after major security breach
It’s not the first time TikTok, owned by Chinese parent-company ByteDance, has come under scrutiny over security shortcomings – in December 2019 the United States Navy banned its personnel from using the smartphone app on government-issued devices, saying it posed a “cybersecurity threat”.
In a prepared statement, TikTok security engineer Luke Deshotels moved to reassure users, saying that the company is “committed to protecting user data”.
“Like many organizations, we encourage responsible security researchers to privately disclose zero day vulnerabilities to us. Before public disclosure, Check Point agreed that all reported issues were patched in the latest version of our app,” Deshotels said.
Head of Product Vulnerability Research at Check Point, Oded Vanunu, says their latest findings highlight that even the most popular apps are at risk of data breaches.
“Social media applications are highly targeted for vulnerabilities as they provide a good source for private data and offer a good attack surface gate,” he said in a statement.
“Yet most users are under the assumption that they are protected by the app they are using.”