TikTok app on phone

Serious security flaws found on TikTok

Image credit: Dreamstime

Israeli cyber-security company Check Point have discovered security flaws in wildly popular video-sharing app TikTok, relating to its handling of users’ phone numbers.

TikTok is a Chinese-owned social-media platform which allows users to share and view short videos. It has exploded in popularity among young people in the past year, passing 1.5 billion downloads in November 2019. It is credited with rapidly creating memes, hit songs, and celebrities, including rapper Lil Nas X.

Now, a cyber-security firm has revealed serious flaws in the app. Much of the issue related to how TikTok handles users’ phone numbers, which must be provided when users sign up to the app.

Check Point found that hackers were able to access these numbers and send texts on behalf of TikTok. Hackers would have been able to exploit this vulnerability to add or delete videos, change user privacy settings (between public and private), steal personal data, force a user onto a web server they control, and redirect users to malicious websites made to look like TikTok via a link in a legitimate-looking text message. The vulnerabilities were in place for most of 2019, raising “serious questions” about whether they had been discovered and exploited by hackers, Check Point said.

Oded Vanunu, the Check Point consultant who led the investigation, told the BBC that: “We proved that there were, indeed, serious security issues with TikTok.”

The flaws were disclosed to TikTok owner ByteDance in November; the company “responsibly deployed” a solution within a month.

“Like many organisations, we encourage responsible security researchers to privately disclose zero-day vulnerabilities to us,” TikTok said in a statement. “Before public disclosure, Check Point agreed that all reported issues were patched in the latest version of our app. We hope that this successful resolution will encourage further collaboration with security researchers.”

Despite TikTok’s enormous popularity, concerns have been raised about its links to the Chinese government and its treatment of children’s personal data. Some US political figures have characterised the app as a national security threat, and last week, the US military forbade its personnel from using the app on government-issued phones on account of this possible threat.

This week, TikTok updated its community guidelines following criticism for removing or demoting political content; for instance, banning a young user who used the platform to draw attention to prison camps operated by Chinese authorities to “re-educate” Uighur Muslims (TikTok insisted that this resulted from a human moderation error). A recent Washington Post investigation found that China-based moderators were given the final say on which flagged videos should be removed.

Changes to the community guidelines include the classification of manipulated content like deepfakes as misinformation and a ban on Holocaust denial and denial of other violent events. However, it remains to be seen whether denial of well-documented violent events involving the Chinese government, such as the Tiananmen Square Massacre, will be treated similarly.

Sign up to the E&T News e-mail to get great stories like this delivered to your inbox every day.

Recent articles