For the better part of 2019, TikTok contained vulnerabilities that could have enabled hackers to access users’ personal information, payment details and private videos.

The flaws were detailed today by a group of researchers from cybersecurity provider Check Point Software Technologies Ltd. The company previously reported the issue to TikTok’s creator, China-based ByteDance Ltd., in November and waited for a fix to be rolled out before going public with the findings. Check Point and ByteDance said that the latest version of the app is patched against all the discovered vulnerabilities.

TikTok is a video-sharing app popular mainly among younger users that has been downloaded more than 1.5 billion times worldwide. The service has recently come under considerable scrutiny in the U.S. on concerns about potential security risks arising from its Chinese ownership.

Check Point’s revelation today is to likely raise fresh questions about user privacy on TikTok. The vulnerabilities spotted by the company could have enabled hackers to extensively breach user accounts and affected several parts of ByteDance’s infrastructure, starting from the website where users download TikTok. 

Consumers wishing to install the app on their phones need to navigate to TikTok’s homepage, where they enter their phone number to receive download instructions via SMS text message. Check Point’s researchers discovered that a hacker could intercept the website request and send users a malicious text that appears as if it came from TikTok.

There were multiple ways to weaponize this flaw, the researchers detailed. It allowed hackers to send legitimate-looking texts containing a link to a malicious site, which in turn could exploit the TikTok cookies on the user’s device to change their app settings. It was in this way possible for an attack to add and delete videos from accounts as well as make private clips publicly accessible.

“While reverse engineering the TikTok app on an Android mobile, we found that it has a ‘deep links’ functionality, making it possible to invoke intents in the app via a browser link,” the researchers elaborated in a blog post. 

An even more severe flaw was found in TikTok’s application programming interface for developers. The API, Check Point determined, could be abused to retrieve users’ email addresses, payment details, birth dates and other personal data. A third exploit affecting TikTok’s online knowledge base for advertisers made it possible to inject malicious scripts into the page via the search bar.

“The research presented here shows the risks associated with one of the most popular and widely used social apps in the world,” Check Point’s researchers noted. “Such risks enforce the essential need for privacy and data security in the cyber world we live in. Data breaches are becoming an epidemic.”

The security software maker didn’t say if any of the vulnerabilities were exploited in the wild. However, the BBC cited a company representative as saying that the fact that the flaws lurked in TikTok’s code for most of 2019 raises “serious questions” as to whether any bad actors might have stumbled upon them.

Image: TikTok