UK Markets closed

TikTok fixes vulnerabilities allowing attackers to take control of user videos

By Jamie Harris, PA Science Technology Reporter

Vulnerabilities in TikTok which could allow hackers to manipulate content on user accounts have been fixed after they were revealed by security researchers.

Check Point alerted the app’s owners ByteDance of the issues in November and an update patching the flaws was deployed within a month.

Popular among young people, TikTok’s video sharing platform was among the most downloaded apps of 2019.

The weakness meant an attacker could send a fake text message to victims that appeared as though it was from TikTok.

Clicking a malicious link contained in the message would grant bad actors access to the user’s account, allowing them to delete or upload videos, as well as make private or hidden videos public, Check Point said.

It also claimed hackers could extract confidential personal information saved on these accounts, such as users’ full names, email addresses and birthdays – though TikTok says it does not believe that any real names could have been accessed.

Luke Deshotels, from TikTok’s security team, said: “TikTok is committed to protecting user data.

“Like many organisations, we encourage responsible security researchers to privately disclose zero-day vulnerabilities to us.

“Before public disclosure, Check Point agreed that all reported issues were patched in the latest version of our app.

“We hope that this successful resolution will encourage future collaboration with security researchers.”

TikTok says a review of customer support records has not shown any patterns that would indicate an attack or breach occurred.

“Data is pervasive, and our latest research shows that the most popular apps are still at risk,” explained Oded Vanunu, Check Point’s head of product vulnerability research.

“Social media applications are highly targeted for vulnerabilities as they provide a good source of personal, private data and offer a large attack surface.

“Malicious actors are spending large amounts of money and time to try and penetrate these hugely popular applications – yet most users are under the assumption that they are protected by the app they are using.”