Israeli cyber-researchers find security flaws in popular Chinese app TikTok

Check Point team says vulnerabilities — now fixed by app maker — could have allowed hackers to access accounts, private information and videos

Shoshanna Solomon was The Times of Israel's Startups and Business reporter

Illustrative. A hacker breaking into a computer. (gorodenkoff via iStockPhoto)
Illustrative. A hacker breaking into a computer. (gorodenkoff via iStockPhoto)

Researchers at Israeli cybersecurity firm Check Point Software Technologies Ltd. have found that that one of the world’s most trending apps, China’s TikTok, with over a billion users around the world, was vulnerable to hacking attacks that could expose personal details such as private and email addresses and personal information like sensitive videos.

They researchers said they informed TikTok developers of the vulnerabilities exposed in their research and the firm has fixed the flaws, making the app safe to use, Check Point said in a statement on Wednesday.

TikTok is available in over 150 markets in 75 languages. As of October 2019, TikTok was the most downloaded app in the United States, making it the first Chinese app to have achieved such a record.

The application is popular mainly among children and teenagers, who use it to create short music clips, mostly lip-sync clips of 3 to 15 seconds, and short looping videos of 3 to 60 seconds. The application allows users to share, save and keep private (and sometimes very sensitive) videos of themselves and their loved ones.

The app has already come under scrutiny: the US Army and Navy both banned it late last year, and TikTok’s parent company was facing a national security review in the United States. In Israel, the Border Police banned its officers from using the Chinese video-sharing social networking app over security concerns.

In their research, Check Point employees found that an attacker could send a spoofed SMS message to a user containing a malicious link. When the user clicked on the malicious link, the attacker was able to access the user’s TikTok account and manipulate its content: delete videos, upload unauthorized videos, and make private or “hidden” videos public, while also revealing personal information saved on the account, such as private email addresses.

The research also found that TikTok’s subdomain https://ads.tiktok.com was exposed to XSS attacks, a type of attack in which malicious scripts are injected into otherwise benign and trusted websites. Check Point researchers managed to use this vulnerability to retrieve personal information saved on user accounts including private email addresses and birthdates, the statement said.

The researchers warned that social media applications are high on attackers’ lists of targets, and even the most popular apps are at risk, yet most users are unaware of this fact.

“Data is pervasive but data breaches are becoming an epidemic, and our latest research shows that the most popular apps are still at risk,” said Oded Vanunu, Check Point’s head of Product Vulnerability Research. “Social media applications are highly targeted for vulnerabilities as they provide a good source for private data and offer a good attack surface gate. Malicious actors are spending large amounts of money and putting in great effort to penetrate into such huge applications. Yet most users are under the assumption that they are protected by the app they are using.”

Luke Deshotels of the TikTok Security Team said in the statement: “TikTok is committed to protecting user data. Like many organizations, we encourage responsible security researchers to privately disclose zero-day vulnerabilities to us. Before public disclosure, CheckPoint agreed that all reported issues were patched in the latest version of our app. We hope that this successful resolution will encourage future collaboration with security researchers.”

Most Popular
read more: