TikTok logo is seen displayed on a phone screen in this illustration photo taken in Krakow, Poland on November 13, 2019. (Photo by Jakub Porzycki/NurPhoto via Getty Images)
NurPhoto | NurPhoto | Getty Images
China’s popular video sharing app TikTok had “multiple” security vulnerabilities, according to a new report.
Cybersecurity firm Check Point said it found flaws that could allow hackers to take control of TikTok accounts and manipulate the content, upload and delete videos and reveal personal information such as a private email address.
It comes amid heightened scrutiny of the Chinese-owned platform. The findings will add fuel to arguments, particularly from U.S. politicians, that TikTok — owned by Chinese company ByteDance — is a national security threat.
The cybersecurity firm found that it’s possible to send a standard text message to any phone number on behalf of TikTok. On the app’s own site, there is a function that lets users send a text message to themselves so they can download the app.
But attackers could create a fake text message that appeared to be from TikTok, but actually contained a malicious link. Once users clicked on the link, hackers could take control of the account.
There was also a vulnerability in a TikTok web domain which allowed attackers to insert a malicious code. This was used to retrieve personal information of users.
Check Point said it disclosed the findings to TikTok and they have been patched.
“TikTok is committed to protecting user data. Like many organizations, we encourage responsible security researchers to privately disclose zero day vulnerabilities to us,” Luke Deshotels of TikTok’s security team said in a statement. “Before public disclosure, CheckPoint agreed that all reported issues were patched in the latest version of our app. We hope that this successful resolution will encourage future collaboration with security researchers.”
The security patch is unlikely to allay concerns of U.S. lawmakers who have said the app could be a national security threat. TikTok is also the subject of a Committee on Foreign Investment in the United States, or CFIUS, national security review into its acquisition of Musica.ly, an app it bought in 2017.
The inquiry stems in part from the dangers the committee perceives from the Chinese government’s access to the app’s data and user profiles, a person familiar with the matter told CNBC last year.
