Tel Aviv, Israel-based cyber security solutions provider Check Point Software Technologies’ intelligence arm Check Point Research said that it has uncovered multiple vulnerabilities in popular short video platform TikTok.
It found that an attacker could potentially manipulate content on user accounts and extract confidential personal information such as email addresses and birthdates.
With over a billion users, TikTok is one of the most downloaded applications on Google Play and the App Store, as per Check Point data.
“Social media applications are targeted for vulnerabilities as they provide a good source for private data and offer a good attack surface. Malicious actors are spending large amounts of money and putting in great effort to penetrate such applications. Yet, most users are under the assumption that they are protected by the app they are using,” Oded Vanunu, Check Point’s head of product vulnerability research, said.
Check Point, in a statement, said that an attacker could send a malicious link to an individual via text message, which when opened, would give the attacker access to the individual’s TikTok account, where the attacker could delete content, upload unauthorised videos and make private accounts public. Additionally, Check Point found that Tiktok’s subdomain https://ads.tiktok.com was vulnerable to a XSS attack, in which malicious scripts could be injected into otherwise benign and trusted websites.
TikTok said it fixed the vulnerabilities after Check Point’s intimation.
“TikTok is committed to protecting user data. Like many organisations, we encourage responsible security researchers to privately disclose zero-day vulnerabilities to us. Before public disclosure, Check Point agreed that all reported issues were patched in the latest version of our app. We hope that this successful resolution will encourage future collaboration with security researchers,” Luke Deshotels of TikTok’s security team said.
Recently, TikTok received the most number of takedown requests from India in 2019. These requests included content that were deemed to be in violation of local laws or to provide information related to accounts under certain defined circumstances, such as to assist in a criminal investigation or emergency request. Requests were also received from copyright owners looking to protect their intellectual property.