TikTok Fixes ‘Serious’ Security Flaws

Video-sharing firm TikTok says it has fixed serious vulnerabilities identified by security specialist Check Point, that were present for most of 2019

Security flaws on the TikTok video-sharing platform have been fixed that could have allowed hackers to add or delete videos, change privacy settings and steal personal data.

Researchers at security firm Check Point alerted TikTok’s developer (ByteDance) after they found multiple issues, all ripe for exploitation by hackers.

It seems that the vulnerability was in place for most of 2019, and Check Point said this raised “serious questions” about whether any hacker had discovered it.

security vulnerability Shutterstock - © Andy Dean Photography

Flaws fixed

“In the last few months we have seen evidence of the potential risks embedded within the TikTok application, and this has been acknowledged as well by others in the industry,” noted Check Point in its research.

“In the recent months, Check Point Research teams discovered multiple vulnerabilities within the TikTok application,” the firm warned.

It said that the flaws could allow attackers to get a hold of TikTok accounts and manipulate their content. They could also delete videos, upload unauthorised videos, and make private “hidden” videos public.

And the flaws could have revealed personal information saved on the account such as private email addresses.

Check Point Research said they had informed TikTok developers in November about the vulnerabilities and a solution was responsibly deployed to ensure its users can safely continue using the TikTok app.

TikTok has over 1 billion active users and as of October 2019, it is one of the world’s most downloaded apps.

“The application is mainly used by teenagers and kids that are using this app to create short music clips, mostly lip-sync clips of 3 to 15 seconds, and short looping videos of 3 to 60 seconds,” said Check Point.

Expert reaction

Security experts commended TikTok for taking ownership of the flaws and rushing out fixes.

“Malicious actors are always looking for vulnerabilities, so TikTok should not be shamed for being targeted,” said Jake Moore, cybersecurity specialist at ESET. “The fact that they are taking ownership and offering quick support updates to mitigate the risk to their users is a positive step that should be commended.”

“One of the main vulnerabilities in question involved hackers being able to access phone numbers and send texts, which should serve as a warning that SMS messages must always be taken with precaution due to their lack of security,” said Moore. “People should always think twice before clicking on a link in a message, but when the SMS looks legitimate, people often still follow through with the request.

“Auto updates are always the best way to keep up to speed with apps like TikTok,” said Moore. “They will then look after themselves, so auto updating in the background should provide peace of mind.”

Another researcher pointed out that this could have a serious issue considering how widely used and popular the video-sharing app is.

WThe recent research into multiple vulnerabilities within TikTok’s application showcase the continued interest in the application, which remains one of the most popular mobile applications used by over one billion monthly active users,” noted Satnam Narang, senior research engineer at Tenable.

Meanwhile another expert noted the fact that many of TikTok users are youngsters, could have limited their ability to understand the implications of these flaws.

“With 40 percent of TikTok users being between 10-19, the ability for this user base to detect or understand the implications of any scam are limited,” said Tim Mackey, principal security strategist at the Synopsys Synopsys CyRC (Cybersecurity Research Centre).

“Developers of apps targeting or popular with teens then have a social responsibility to protect their install base from threats designed to harvest their data or scam them,” said Mackey. “While TikTok was able to patch the issues identified by Check Point Research, during investigation of the issue the attack path would’ve been investigated.”

“Developers performing this research would likely have identified not only the specific attack method, but could likely have discovered additional potential areas for user data to become compromised,” he said.

“This investigative process is common when faced with any security issue, but in addition to the patch the development team should’ve updated their threat models and performed a more thorough review of the security of their application,” said Mackey.

“By both creating a patch and updating a threat model, an organisation can effectively prevent future attacks as developers tend to repeat coding patterns and if a given coding pattern leads to security issue under one condition, it likely leads to security issues when used elsewhere in the application,” he concluded.

Do you know all about security? Try our quiz!