Woman holding mobile phone with TikTok logo on screen showing the TikTok security flaws which may allow hackers to steal personal data
TikTok Security Flaws May Have Allowed Hackers to Steal Personal Data by Scott Ikeda

TikTok Security Flaws May Have Allowed Hackers to Steal Personal Data

At the moment, TikTok is one of the hottest video sharing apps among teenagers and young adults around the world. Some security flaws recently discovered by an Israeli firm reveal that it may also be one of the most vulnerable. Security researchers at Check Point characterized the flaws as “core to TikTok’s systems”, raising serious questions about the safety of the Beijing-based app.

TikTok’s major security flaws

TikTok’s security flaws made it relatively simple to spoof the source of SMS messages, making it possible to pass a malware link under the guise of it coming from TikTok itself. The researchers also found that it was possible to exploit the ad system, make alterations to other people’s feeds and accounts without having direct access to them, and access sensitive personal information via API calls.

There is a lot to unpack here. The first of the security flaws is the ability for any user to send SMS messages to any other user that appear to come from TikTok. This could be done by exploiting the feature on the website by which users can text themselves a link to download the TikTok app. This request could be captured with a proxy tool and altered to be sent to any other phone number, with the embedded malicious links altered to send the victim to any potential attack site while still appearing to be legitimate.

TikTok’s ad system was also found to be vulnerable to cross site scripting (XSS) attacks. The vulnerability centered on the help system’s search function, which was allowing attackers to inject malicious code into the search URL. While this would not allow attackers to display malicious ads, it would allow anyone to post a seemingly benign link to a TikTok search that would actually redirect to a malware site.

The security researchers also found that TikTok did not have a proper cross-site request forgery (CSFR) defense system in place. This means that it was possible to alter request URLs to do things like add videos to and delete them from another user’s account, add followers to another account, and change video settings from private to public – all without any of the target’s login information.

Finally, some TikTok subdomain APIs were found to be leaking sensitive user data when called upon in the right way. This includes user email addresses, date of birth, income made from the platform and payment information on file.

Ongoing questions about TikTok

TikTok had been under some serious scrutiny prior to the uncovering of these security flaws. It is the rare example of a China-based app finding massive success across the world, including in rival nations such as the United States.

Even if the app is made impervious to security flaws, the fact that the ruling Communist Party of China (CPC) requires full access to the data of private companies upon request has had some in the West dispensing with it as a precaution. The United States Navy and Army have both banned it from use on government smartphones, and the New York Times reports that the Committee on Foreign Investment in the United States has opened a national security investigation into it. Questions have been raised at the highest levels of government about whether TikTok is surreptitiously funneling data back to China, and if parent company ByteDance is censoring content on the platform in keeping with CPC directives. A private class action lawsuit initiated by a Palo Alto college student alleges that very thing.

There is good reason for concerns about the reach of the app. It is estimated to have about one billion users worldwide (and continuing to grow), with a presence in 150 different markets outside of China.

ByteDance ran into additional trouble last year when it was forced to pay a $5.7 million fine for violation of the Child Online Privacy Protection Act (COPPA). After merging TikTok with Musical.ly, ByteDance failed to integrate required protections for minors such as requiring a parent’s permission before collecting personal data and restricting adults from contacting them.

Tim Mackey, Principal Security Strategist at Synopsys Software Integrity Group, commented:

“With 40% of TikTok users being between 10-19, the ability for this user base to detect or understand the implications of any scam are limited. Developers of apps targeting or popular with teens then have a social responsibility to protect their install base from threats designed to harvest their data or scam them.

“While TikTok was able to patch the issues identified by Check Point Research, during investigation of the issue the attack path would’ve been investigated. Developers performing this research would likely have identified not only the specific attack method, but could likely have discovered additional potential areas for user data to become compromised. This investigative process is common when faced with any security issue, but in addition to the patch the development team should’ve updated their threat models and performed a more thorough review of the security of their application.

“By both creating a patch and updating a threat model, an organisation can effectively prevent future attacks as developers tend to repeat coding patterns and if a given coding pattern leads to security issue under one condition, it likely leads to security issues when used elsewhere in the application.”

It is important to note that the researchers did not find anything indicating that these security flaws had been exploited by threat actors, and that TikTok patched all of the vulnerabilities on December 15 prior to public awareness of the issues. The company also revised its community guidelines in the wake of the breach notification, expressly forbidding illegal content such as hate speech and posts by violent extremist groups.

TikTok security engineer Luke Deshotels also issued a public statement regarding the security flaws: “Like many organizations we encourage responsible security researchers to privately disclose zero day vulnerabilities to us. Before public disclosure, Check Point agreed that all reported issues were patched in the latest version of our app … We hope that this successful resolution will encourage future collaboration with security researchers.”