TikTok video-sharing app left user data exposed

A series of vulnerabilities in the viral short form video-sharing social media app TikTok left the personal information of its users – including email addresses and birthdays – vulnerable to exposure, and could also have enabled cyber criminals to manipulate content on user accounts, according to a new disclosure from Check Point.

The vulnerabilities centred on the SMS messaging system used by TikTok during the app download and sign-up process, and its subdomain.

Check Point found that an attacker could easily send a spoofed SMS message to a user containing a malicious link which, if clicked, would have given them access to the user’s account and the ability to manipulate its content, for example by deleting videos, uploading unauthorised content, or making private content public.

Hackers could also have used this method to force TikTok users onto a web server that they controlled, making it possible for them to send unwanted requests on the user’s behalf.

The subdomain vulnerability left TikTok open to cross site scripting (XSS) attacks – a common form of attack in which cyber criminals inject malicious script into trusted websites. Check Point’s research team were able to exploit the vulnerability to extract personal data.

“Data is pervasive, and our latest research shows that the most popular apps are still at risk,” said Oded Vanunu, Check Point’s head of product vulnerability research. “Social media applications are highly targeted for vulnerabilities as they provide a good source of personal, private data and offer a large attack surface.

“Malicious actors are spending large amounts of money and time to try and penetrate these hugely popular applications – yet most users are under the assumption that they are protected by the app they are using.”

Check Point said it informed the site’s owners, ByteDance, of the vulnerabilities in November 2019, and the flaws have now been patched. Users are urged to check that they are running the most current version of the app on their devices.

TikTok security team lead Luke Deshotels said: “TikTok is committed to protecting user data. Like many organisations, we encourage responsible security researchers to privately disclose zero-day vulnerabilities to us.

“Before public disclosure, Check Point agreed that all reported issues were patched in the latest version of our app. We hope that this successful resolution will encourage future collaboration with security researchers." 

TikTok has emerged as a widely-used successor to the now-defunct Vine app – which foundered and died after being bought by Twitter – particularly by teenagers and young adults, who use it to share, save, and (if wanted) keep their video content private. Videos hosted on the platform frequently go viral across the internet.

However, despite its popularity, evidence of security risks associated with the platform have been piling up for months. Most recently, this has prompted the US government to ban it from use on military devices. This is partly due to national security concerns, as the parent ByteDance company is based in China.

TikTok has faced further criticism for apparently censoring and removing videos relating to the ongoing pro-democracy protests in Hong Kong, and for cracking down on content created by LGBTQ+ people including in jurisdictions where they are not subject to legal persecution.

It also suppressed videos created by disabled people, people with facial disfigurements or birthmarks, people living with Down’s syndrome and people living with autism, under the pretext of protecting them from bullying and harassment.