A cybersecurity firm said Wednesday it had found ” multiple vulnerabilities” in social video sharing platform TikTok that could allow hackers to add or delete videos and to extract personal information.
TikTok is a China-owned video app popular with millions of U.S. teens and young adults.
Check Point Research said one vulnerability it found could allow a hacker to send a bogus text message to a user that contains a malicious link. If someone clicks the link, the hacker could gain access to the TikTok account and subsequently add and delete videos, or make hidden videos public.
Check Point said it also discovered that a TikTok subdomain could be vulnerable to malicious scripts. Its researchers were able to use this to obtain users’ personal information including birthdates and private email addresses.
BBC News reported separately that the vulnerability was in place for most of 2019.
Check Point says it informed TikTok of the problems and that “a fix was responsibly deployed.”
“Social media applications are highly targeted for vulnerabilities as they provide a good source for private data and offer a good attack surface gate. Malicious actors are spending large amounts of money and putting in great effort to penetrate into such huge applications. Yet most users are under the assumption that they are protected by the app they are using,” Oded Vanunu, Check Point’s Head of Product Vulnerability Research, said in a statement.
“Like many organizations, we encourage responsible security researchers to privately disclose zero day vulnerabilities to us,” Luke Deshotels of TikTok’s security team said in a statement. “Before public disclosure, CheckPoint agreed that all reported issues were patched in the latest version of our app.”
Zero day vulnerabilities refer to those that have not been previously disclosed.
Multiple reports late last year said the U.S. government had launched a national security review of TikTok.