If any of your private TikTok videos inexplicably went public — it could be because you downloaded the app using an SMS

• A new investigation by Check Point Research finds that TikTok has multiple vulnerabilities.
• An SMS service on the app’s website could send spoofed messages allowing attackers to get a hold of a user’s TikTok account.
• Another vulnerability was found in a TikTok subdomain capable of stealing personal information.

TikTok is used by over a billion people around the world — primarily kids and teenagers. And, it might not be as safe as you think.

"Data is pervasive but data breaches are becoming an epidemic, and our latest research shows that the most popular apps are still at risk," said Oded Vanunu, Check Point’s Head of Product Vulnerability Research.

Check Point’s investigation reveals that TikTok’s SMS services to send app download links could be manipulated to send spoof links. Clicking on any such link could give attackers direct access into users’ accounts. There onward, the hackers can do anything from publically sharing private videos, manipulating uploaded content, or even upload new videos altogether.


In addition to that, a subdomain was found vulnerable to cross-site scripting (XSS) attacks. Using the search functionality, attackers could gain access to user’s personal information like real names, date of birth and contact information.

TikTok has since fixed both problems but is yet to respond to Business Insider’s request to know if any users were impacted prior to the patch.

"TikTok is committed to protecting user data. Like many organizations, we encourage responsible security researchers to privately disclose zero-day vulnerabilities to us. Before public disclosure, CheckPoint agreed that all reported issues were patched in the latest version of our app. We hope that this successful resolution will encourage future collaboration with security researchers," said Luke Deshotels from the TikTok Security Team told Check Point.

TikTok’s good — hackers are better

TikTok is available in 75 different languages spanning over 150 markets. It’s a treasure trove of data.

"Social media applications are highly targeted for vulnerabilities as they provide a good source for private data and offer a good attack surface gate," said Vanunu.

It’s not that the company hasn’t but security measures in place — it’s that hackers are getting better at finding ways to circumvent the system.

"Malicious actors are spending large amounts of money and putting in great effort to penetrate into such huge applications. Yet most users are under the assumption that they are protected by the app they are using," Vanunu explained.

In recent days, the US has been in an uproar around TikTok’s security. The US Navy and Army had already banned its use by their personnel.

"The TikTok app poses a potential national security risk," senior democrat Chuck Schumer wrote to the government. A week later the New York Times reported that the US government had put TikTok under national security review.

See also:
TikTok is spending $100 million to protect its biggest market

TikTok, tick tock — time is ticking for Facebook in China and India

Facebook data breach continues more than a year after Cambridge Analytica