One of the world’s hottest apps was found vulnerable to data leakage, but this security flaw has been patched.

Multiple vulnerabilities were discovered in TikTok that could have allowed attacks to manipulate content on user accounts and even extract confidential personal information saved on these accounts. 

TikTok is used mainly by teenagers and kids to share, save and keep private (and sometimes very sensitive) videos of themselves and their loved ones. As of October 2019, TikTok is the most downloaded app in the United States, making it the first Chinese app to have achieved such a record. 

But recently, Check Point Research, the threat intelligence arm of Check Point Software Technologies, had found that an attacker could send a spoofed SMS message to a user containing a malicious link. When the user clicked on the malicious link, the attacker would be able to hijack the TikTok account and manipulate its content by deleting videos, uploading unauthorized videos, and making private or “hidden” videos public. 

The research also found that Tiktok’s subdomain was vulnerable to XSS attacks, a type of attack in which malicious scripts are injected into otherwise benign and trusted websites. Check Point researchers had leveraged this vulnerability to retrieve personal information saved on user accounts including private email addresses and birthdates. 

Check Point Research subsequently revealed that it had informed TikTok developers of the vulnerabilities exposed in this research and a fix has been responsibly deployed to ensure its users can safely continue using the TikTok app.

Oded Vanunu, Check Point’s Head of Product Vulnerability Research, said: “Data is pervasive but data breaches are becoming an epidemic, and our latest research shows that the most popular apps are still at risk. Social media applications are highly targeted for vulnerabilities as they provide a good source of private data and offer a good attack surface gate. Malicious actors are spending large amounts of money and putting in great effort to penetrate into such huge applications. Yet most users are under the assumption that they are protected by the app they are using.” 

Said Luke Deshotels of the TikTok Security Team: “TikTok is committed to protecting user data. Like many organizations, we encourage responsible security researchers to privately disclose zero-day vulnerabilities to us. Before public disclosure, CheckPoint agreed that all reported issues were patched in the latest version of our app. We hope that this successful resolution will encourage future collaboration with security researchers.”

Tim Mackey, Principal Security Strategist at Synopsys Software Integrity Group, commented: “With 40% of TikTok users being between 10-19, the ability for this user base to detect or understand the implications of any scam are limited. Developers of apps targeting or popular with teens then have a social responsibility to protect their install base from threats designed to harvest their data or scam them.”

While TikTok was able to patch the issues identified by Check Point Research, the attack path would have been identified in the course of the investigation, said Mackey.

“Developers performing this research would likely have identified not only the specific attack method, but could likely have discovered additional potential areas for user data to become compromised,” he said. “This investigative process is common when faced with any security issue, but in addition to the patch the development team should’ve updated their threat models and performed a more thorough review of the security of their application. By both creating a patch and updating a threat model, an organization can effectively prevent future attacks as developers tend to repeat coding patterns, and if a given coding pattern leads to security issue under one condition, it likely leads to security issues when used elsewhere in the application.”