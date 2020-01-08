Loading...

The social video app TikTok has been labeled as a potential security threat to its links with China – the app is owned by Beijing-based company ByteDance – but like any piece of software, it also has potential for more immediate security concerns. Recently patched vulnerabilities in the app can allow an attacker to inherit TikTok accounts, add or remove videos, and release private information such as user information or videos marked as “hidden.”

Researchers from the security company Check Point first reported the bugs to TikTok at the end of November and the company patched them on iOS and Android at the end of December. The findings, however, are due to the fact that Congress has held hearings in recent months and has called for an investigation into the possibility of the app presenting a national security risk. And the US Army and Navy both banned the app from their devices at the end of 2019 and called it a cyber threat. All software contains bugs and a few vulnerabilities do not show that TikTok is malicious at all. But the findings show that the social media app deserves more attention.

“The purpose of our research was really to understand the level of security and privacy that TikTok offers,” said Oded Vanunu, head of product vulnerability research at Check Point. “When we finished the assessment and understood that we could easily manipulate the accounts, we said we would stop here and share the information. We hope that more researchers will check the app now and that TikTok will extend their security validation cycle.”

The researchers noted that TikTok offers a feature on its website that allows users to enter their phone numbers and receive a text message with a link to download the app. When analyzing this mechanism, they discovered that they could remotely manipulate the words in the text and the download link and send them to any phone number. From there they discovered that they could create special links for these texts that would send commands to TikTok if a victim had already downloaded the app.

In practice, an attacker might have refreshed a text message to target existing TikTok users, rather than just starters – and the texts would legitimately come from TikTok’s infrastructure. If a TikTok user has clicked on one of these malicious links, an attacker may have manipulated bugs in TikTok’s browser redirect settings and authentication mechanisms to manipulate his account – send commands to add or remove videos, force the victim account to follow other accounts, make private videos public, or filter out the victim’s personal account information, such as name and e-mail addresses.

Vanunu says TikTok responded to the revelations and corrected the issues within a few weeks. “TikTok is committed to protecting user data. Like many organizations, we encourage responsible security investigators to disclose zero-day vulnerabilities to us,” said Luke Deshotels, a member of the TikTok security team, in a statement to Check Point . “We hope that this successful resolution will encourage future collaboration with security researchers.” TikTok and her mother ByteDance did not respond to a request for comment from WIRED.

Although TikTok has become increasingly popular – and increasingly scrutinized – not many public bug notifications have been found in the app. Recently, security researcher Melroy Bouwes published findings in early September that both the iOS and Android versions of TikTok are submitting certain requests about non-encrypted web connections, potentially exposing this activity and some data such as which videos users are viewing. Bouwes contacted TikTok for the first time in July about the findings and said he then tried to reach the company three more times during two months. “I never received an answer,” he told WIRED. “I have not found a responsible disclosure procedure.”

TikTok has worked to promote a positive and safe image in the US to counter accusations of unreliability. Last week the company released its first transparency report and today it announces renewed community guidelines. But the safety research community has only superficially scratched what is going on under the hood.

More great WIRED stories

.