The Jan. 8 report by Israel cybersecurity firm Checkpoint found a series of flaws that could enable attackers to manipulate user content, upload and delete videos, and reveal sensitive data such as birthdates, payment information, and email addresses.
The Chinese-owned short-video sharing platform—currently under heightened scrutiny over its potential national security risks—exploded in popularity in 2019 and was one of the worlds most downloaded apps as of October. It has 26.5 million monthly active users in the United States, according to the company.
The researchers said the security issues had existed for the majority of 2019, raising “serious questions” as to whether anyone has fallen victim, according to the BBC.
Following the reports release, Luke Deshotels, a TikTok spokesperson, said in a statement that all reported security issues identified by the firm have been fixed in the latest version of the app.
One of the loopholes, dubbed SMS link spoofing, makes it possible for attackers to send fake messages to any phone number posing as TikTok.
The texting function on the apps homepage allows users to send themselves a text to download the app. Taking advantage of the function, hackers could send messages containing a malicious link, which would give away user access once one clicks on it, the report said.
Researchers also found a weakness in TikToks infrastructure that would allow attackers to reroute users to malicious sites that appear legitimate.
Through a loophole in TikToks ad subdomain, the researchers were able to retrieve personal information from user accounts, including date of birth.
Researchers were also able to hijack the app by injecting malicious code, allowing them to perform other functions on the victims behalf, including creating videos, making a private video public, and approving followers requests.
Oded Vanunu, the head of Checkpoints product vulnerability research team, told The New York Times that the vulnerabilities they identified were all “all core to TikToks systems.”
“Malicious actors are spending large amounts of money and putting in great effort to penetrate into such huge applications. Yet most users are under the assumption that they are protected by the app they are using,” Vanunu said in a Jan. 8 statement.
Check Point alerted ByteDance, which owns TikTok, in November, the BBC reported.
In recent months, TikTok has been embroiled in controversies over its security risks.
U.S. military branches have asked their personnel to delete the app from their government-issued phones following a Pentagon directive issued in mid-December.
The Defense Department warned about the “Read More – Source