KEY POINTS

  • An Israeli cybersecurity firm discovered major security issues in the popular video app TikTok
  • The vulnerabilities allowed attackers to steal user information and manipulate compromised accounts
  • TikTok was informed of the vulnerabilities in November, and was able to fix them in December

An Israeli cybersecurity firm has discovered major vulnerabilities in the popular video app TikTok, which could allow hackers to hack user accounts, manipulate user content and extract valuable information belonging to users. Thankfully, the issues are now fixed.

Check Point Research, the threat intelligence arm of Israeli cybersecurity company Check Point Software Technologies, has discovered multiple security issues in the popular TikTok app, which is now being used by hundreds of millions of teens and netizens globally.

The vulnerabilities, as per the cybersecurity firm, could allow people with malicious intent to have access to user accounts and do a lot of things, such as steal their confidential information, delete their videos, make their private videos public, and so on. The vulnerabilities can also allow attackers to upload unauthorized videos to compromised accounts.

The firm found that the app's subdomain was vulnerable to a type of attack where seemingly benign or “innocent” websites can be used to hack accounts and steal information. These, called XSS attacks, allow hackers to insert malicious scripts into trusted websites.

Attackers can leverage this vulnerability to send TikTok users spoofed messages that contained links. These messages are made to look like they are legitimate and are from TikTok. If a person clicks or taps on the links, the attacker can then gain access to his or her TikTok account for whatever purpose he may have in mind.

Check Point looked into TikTok's vulnerability to XSS attacks and successfully retrieved confidential user information, which included private email addresses and birthdates. The cybersecurity firm informed TikTok of the vulnerabilities on Nov. 20 last year, and by December, the app company was able to fix them.

In a press release from Check Point, Luke Deshotels, PhD, head of TikTok's Security Team, explained that “TikTok is committed to protecting user data” and is looking forward to working with security companies for that purpose.

“Like many organizations, we encourage responsible security researchers to privately disclose zero day vulnerabilities to us. Before public disclosure, CheckPoint agreed that all reported issues were patched in the latest version of our app," Deshotels added. "We hope that this successful resolution will encourage future collaboration with security researchers.”

For those who would like to read a detailed report regarding the cybersecurity firm's findings, Check Point's report can be found here.

A California student has filed a suit against Chinese-based TikTok, which she accuses of retrieving her data without permission
An Israeli cybersecurity firm discovered major security issues in TikTok. AFP / Lionel BONAVENTURE