The personal information and content of TikTok’s 1bn users were left vulnerable to hackers, according to a group of cyber security experts, as fears persist over the security of the Chinese-owned viral video app.

Researchers at Israeli security software company Check Point said on Wednesday that they had found several vulnerabilities in the infrastructure of the social media platform, which could have allowed attackers to access user data. The issues have since been fixed by TikTok, who said that there was no evidence of any breaches. 

The news comes as the fast-growing platform, which is popular among Western teenagers and owned by Beijing-based ByteDance, faces scrutiny from US politicians over its Chinese roots, in part for data privacy reasons. 

TikTok users sign up to the platform by entering their mobile number on the company’s website and receiving a text message with a link to download. 

According to Check Point’s findings, potential attackers could hack this SMS system, sending users malicious links that appeared to come from TikTok, but instead gave them control of parts of users’ accounts if clicked. 

In particular, the researchers found they could access users’ personal information, including full names, email addresses and birth dates, and also add or delete content and change privacy settings.

“There are multiple vulnerabilities that can be triggered by TikTok’s SMS infrastructure,” said Oded Vanunu, head of product vulnerability research at the security company, adding that his team had notified TikTok of the issues in November. “There is an easy way to take control, manipulate and take some private information.” 

The news comes as even the largest social media platforms struggle to keep a lid on the troves of user data that they gather to help advertisers better target commercials. Rival Facebook in December said it was investigating reports that a database containing more than 267m records of its users’ personal information was being circulated online by hackers. 

TikTok has also prompted national security concerns. US watchdogs recently opened a national security probe into the app after members of Congress expressed concern that it could send users’ data back to China. TikTok has strongly denied this claim. 

Meanwhile the US military, including the Navy and Army, has banned members from using the app in recent weeks, after the Pentagon reportedly issued guidance that troops should uninstall it to prevent the exposure of personal information. 

On Wednesday, TikTok said it had deployed a fix on all the vulnerabilities that Check Point had alerted it to, adding that there was no indication that those weaknesses had actually been exploited by attackers. 

“TikTok is committed to protecting user data. Like many organisations, we encourage responsible security researchers to privately disclose zero day vulnerabilities to us,” said Luke Deshotels, part of TikTok’s security team. 

“Before public disclosure, Check Point agreed that all reported issues were patched in the latest version of our app. We hope that this successful resolution will encourage future collaboration with security researchers,” he added.

Get alerts on TikTok Inc when a new story is published

Copyright The Financial Times Limited 2020. All rights reserved.
Reuse this content (opens in new window)

Follow the topics in this article