TikTok, the Chinese-based app that has been the subject of national security inquiries in the U.S., had a vulnerability that could have allowed attackers to hack personal accounts, according to new research from Check Point Software Technologies.
Hackers could have used a backdoor to change TikTok users’ settings and turn private videos into public videos, according to Check Point researchers. They might also have been able to upload and delete videos.
Check Point, the Israel-based cyber-security firm, published its findings today on TikTok. There was no evidence that accounts had been hacked, the firm only uncovered potential vulnerabilities, and TikTok has since fixed the holes in its software.
Still, the mere existence of security flaws will be sure to interest U.S. authorities that have been concerned about the rise of TikTok. Last year, U.S. lawmakers Senator Marco Rubio and Senator Chuck Schumer began calling for national security reviews into the Chinese-owned app, and in recent weeks U.S. military officials have issued warnings to personnel to not use the app.
There have been concerns that U.S. soldiers and other military staff could be tracked through the app, divulge sensitive information through their activity, or share compromising data. Until now, the warnings have been somewhat vague. The new research, however, offers a concrete example of how accounts could be breached.
“We proved that the basic function [of TikTok] is not secure,” says Oded Vanunu, head of products vulnerability research at Check Point. “Anyone could have taken control of your account through TikTok’s infrastructure.”
“Think about bad actors, this [could be] a big problem, a huge problem,” Vanunu says in a phone interview discussing the research.
Check Point has conducted research into a number of platforms. Companies like Facebook and Google even offer rewards for security teams to uncover potential breaches. In this case, Check Point was looking into TikTok in the wake of the publicity surrounding the company and its potential threat to U.S. security interests, according to Vanunu.
TikTok offered the company a reward for finding the hole, but Check Point turned down the compensation, Vanunu says.
Check Point worked with TikTok after uncovering the security flaws, and they have since been patched, according to Vanunu and TikTok representatives.
“TikTok is committed to protecting user data,” said Luke Deshotels, a member of TikTok’s security team, in a statement. “Like many organizations, we encourage responsible security researchers to privately disclose zero-day vulnerabilities to us. Before public disclosure, CheckPoint agreed that all reported issues were patched in the latest version of our app. We hope that this successful resolution will encourage future collaboration with security researchers."
A “zero-day” vulnerability is another name for a security hole that leaves software open to attack until it is patched.
TikTok also said that it found no accounts that were compromised through the vulnerabilities uncovered by Check Point. “Following a review of customer support records, we can confirm that we have not seen any patterns that would indicate an attack or breach occurred,” Deshotels said.
How the hack worked
Researchers found a way to send spoofed messages to TikTok users’ phones. The messages could appear to come from TikTok and transmit links. If a user clicked on the links in the text message, that could give the hacker access to their TikTok accounts. Once in control, a bad actor could manipulate videos and privacy settings, among other malicious activities.
“Following a breach, attackers could easily get on those TikTok accounts and manipulate the content, delete videos, upload unauthorized videos, make private videos public,” Vanunu says.
TikTok, of course, is not alone in facing such hacking threats. All major platforms have been subjected to attacks and personal online accounts are typically vulnerable. “It’s not just TikTok,” says Ana Milicevic, co-founder of Sparrow Advisors, a digital technology consulting firm. “Every piece of software is hackable.”
TikTok just happens to be under increased scrutiny because it is internationally owned, Milicevic says. TikTok is owned by ByteDance, a Chinese company. ByteDance also owns Douyin, which is basically the same as TikTok but only for users in mainland China.
There are concerns that the Chinese government could exert control over its domestic companies and that could compromise users in the U.S. TikTok has sought to address those fears by saying that it does not transmit data from U.S. users to any servers in China. TikTok has also said it was willing to work with U.S. authorities to prove it is operating above board.
The company has been a success among U.S. users, rising to the top of app download charts and capturing the attention of many American teens. The app is mostly used for creating musical dance videos and memes.
U.S. brands have caught on, as well. The National Football League joined this season. Walmart and Guess Jeans have run hashtag challenges, which are promotions that encourage people to share messages that feature their marketing slogans. The Washington Post has been a prolific TikTok poster.
This new security exploit could show that brands are vulnerable, too. Their accounts could be open to hijacking, which is an issue brands have faced on Twitter and Instagram, where hackers take control of what a company posts on social media. It recently happened to Twitter CEO Jack Dorsey on his own platform.
“Brands should be worried about a takeover on TikTok,” Milicevic says. “They need to make sure they have a conversation internally to understand where there are opportunities for issues on any platform.”