Skip to main content

TikTok vulnerability could have allowed hackers to take over users’ profiles

Israel-based security research firm Check Point says it found multiple severe loopholes within short-form video app, TikTok that could have potentially allowed hackers to take over users’ accounts, access their private data, and upload videos on their behalf. The vulnerability made it possible for intruders to masquerade as TikTok and send official text messages with malicious links.

The vulnerabilities have been patched since November when Check Point discovered them and warned TikTok through server-side changes as well as app updates. Therefore, if you haven’t updated TikTok in a while, head over to the app store and do so immediately.

Recommended Videos

“TikTok is committed to protecting user data. Like many organizations, we encourage responsible security researchers to privately disclose zero-day vulnerabilities to us. Before public disclosure, Check Point agreed that all reported issues were patched in the latest version of our app. We hope that this successful resolution will encourage future collaboration with security researchers,” said Luke Deshotels, a member of TikTok’s team of security researchers, in a statement.

The bug originated from the download link request feature on TikTok’s website. But due to a programming oversight, hackers could tap into the company’s official SMS channel, and instead of the download link, forward users a malicious one. When someone clicked on it, they would unknowingly end up ceding access to a range of sensitive sections of their TikTok account. Once in, the hacker could upload videos, make private posts public, delete files, view personal information such as email addresses, and more.

That’s not all. Check Point was able to unearth another security loophole which could have let hackers gain access to TikTok’s database of millions of users by inserting a piece of malicious code inside the official website. The firm’s researchers, through this, managed to retrieve accounts’ private data including their names and birth dates.

TikTok claims it hasn’t found any affected users or instances of abuse yet.

In a little over two years, TikTok has rapidly accumulated over a billion users and downloads across the globe. However, the social network has come under lawmakers’ crosshairs in the United States primarily due to its Chinese roots. Privacy vulnerabilities such as this one could end up compounding those concerns further.

To combat the increased scrutiny, TikTok’s parent company, ByteDance has mulled setting up a headquarters outside of China. A recent Bloomberg report also said that ByteDance may be considering letting go of TikTok altogether or sell a majority stake to put an end to the growing concerns.

Shubham Agarwal
Shubham Agarwal is a freelance technology journalist from Ahmedabad, India. His work has previously appeared in Firstpost…
Former ByteDance exec claims China had access to TikTok data
TikTok logo on an iPhone.

TikTok is feeling the heat again after a former leading executive at its parent company, Byte Dance, made a series of damning claims in a wrongful dismissal lawsuit filed recently in the San Francisco Superior Court

Among the allegations made by Yintao Yu was that the Chinese Community Party (CCP) “maintained supreme access” to TikTok data stored in the U.S. when he worked for the company between 2017 and 2018.

Read more
TikTok CEO to face Congress on Thursday. Here’s how to watch
TikTok icon illustration.

TikTok CEO Shou Zi Chew testifies before Congress

TikTok CEO Shou Chew faces the fight of his life on Thursday, when he will try to convince a congressional committee that the hugely popular app poses no threat to national security.

Read more
TikTok should be expelled from app stores, senator says
TikTok icon illustration.

The wildly popular TikTok app continues to come under pressure from U.S. lawmakers.

Many are concerned that ByteDance, the Beijing-based company behind the app, has close ties with the Chinese government, and that laws in China mean it could be required to hand over user data to the government to assist in intelligence gathering.

Read more