Israeli cyber experts reveal serious security flaws in TikTok

Dr. Luke Deshotels, a security engineer at TikTok, said the company is committed to protecting user data.

Tik Tok logos are seen on smartphones in front of displayed ByteDance logo in this illustration (photo credit: REUTERS)
Tik Tok logos are seen on smartphones in front of displayed ByteDance logo in this illustration
(photo credit: REUTERS)
Multiple vulnerabilities in viral video-sharing application TikTok could enable the exposure of confidential person information and content manipulation, Israeli cybersecurity experts have revealed.
Researchers at Check Point Software Technologies found flaws in the Chinese-developed app, hugely popular among children worldwide, enabling hackers to manipulate user accounts and extract information including dates of birth and private email addresses.
Attackers could send a spoofed SMS message to a user containing a malicious link, researchers said. Once a user clicked on the link, the attacker was able to control their TikTok account and manipulate their content. Attackers were able to delete and upload videos, and also make private or "hidden" videos public, in some cases exposing very sensitive images.
TikTok's marketing website, TikTok Ads, was also found to be vulnerable to cross-site scripting (XSS) attacks, in which malicious scripts are injected into trusted websites. Check Point researchers exploited the vulnerability to retrieve personal information from user accounts, including email addresses and birthdates.
Developed by Beijing-based ByteDance, TikTok has reportedly exceeded 1.5 billion downloads, according to app analysis firm Sensor Tower. In the United States, TikTok was the third most-downloaded app in 2019 after Facebook and Instagram.
"Data is pervasive but data breaches are becoming an epidemic, and our latest research shows that the most popular apps are still at risk," said Oded Vanunu, Check Point’s Head of Product Vulnerability Research.
"Social media applications are highly targeted for vulnerabilities as they provide a good source for private data and offer a good attack surface gate. Malicious actors are spending large amounts of money and putting in great effort to penetrate into such huge applications. Yet most users are under the assumption that they are protected by the app they are using."
Check Point informed developers at TikTok of the vulnerabilities, and an update has since been deployed by the Beijing company to fix the flaw.
Dr. Luke Deshotels, a security engineer at TikTok, said the company is committed to protecting user data.
"Like many organizations, we encourage responsible security researchers to privately disclose zero day vulnerabilities to us," said Deshotels. "Before public disclosure, Check Point agreed that all reported issues were patched in the latest version of our app. We hope that this successful resolution will encourage future collaboration with security researchers."

Stay updated with the latest news!

Subscribe to The Jerusalem Post Newsletter


Following guidance from the Pentagon, the United States Army joined the Navy in banning the use of Tiktok on government-issued smart devices in late December over national security concerns.
The US government launched a national security review of TikTok-developer ByteDance Technology in November, following its $1 billion acquisition of American lip-syncing application Musical.ly in 2017, Reuters reported.