Check Point Research says it was able to spoof text messages to users that appeared to come from TikTok

Cybersecurity research firm Check Point Research says it found “multiple vulnerabilities” within video sharing app TikTok that demonstrated its insecurity as scrutiny for the Chinese-owned company continues to grow.

Check Point found that it was possible to spoof text messages to make them appear to come from TikTok. Once a user clicked the fake link, a hacker would have been able to access parts of their TikTok account, including uploading and deleting videos and changing settings on existing videos from public to private.

Check Point also found that TikTok’s infrastructure would have allowed a hacker to redirect a hacked user to a malicious website that looked like TikTok’s homepage. This could have been combined with cross-site scripting and other attacks on the user’s account.

Sending links and other secure information over SMS is a well-known security concern and a favorite method for cybercriminals who want to access users’ phones. In 2014, the UK’s Information Commissioner’s Office fined a concert promoter more than $100,000 for sending spoofed text messages to concertgoers that appeared to come from their mothers. Amnesty International documented in 2018 how hackers could get around Gmail and Yahoo’s two-factor authentication safeguards by intercepting 2FA confirmation codes via SMS message.

Check Point says it notified TikTok’s parent company about the security vulnerabilities in November, and the app has since fixed the problem.

“TikTok is committed to protecting user data. Like many organizations, we encourage responsible security researchers to privately disclose zero day vulnerabilities to us,” TikTok security team member Luke Deshotels said in a statement. “Before public disclosure, Check Point agreed that all reported issues were patched in the latest version of our app. We hope that this successful resolution will encourage future collaboration with security researchers.”

Oded Vanunu, the lead researcher on Check Point’s report, said an app like TikTok — which is close to 1.5 billion global users in just two and a half years since launching outside of China — is a ripe target for hackers because of the amount of data and potentially private information being transferred. Since apps like TikTok can be used across multiple platforms, it’s easier for a malicious actor to escalate their activity quickly, he said.

“We see huge amounts of malicious activity on IM and social networks,” Vanunu said in an interview with The Verge. “What we’re trying to make sure people understand is that the cyber space is something that doesn’t just start and end on a sophisticated platform, but that if you’re in cyber space, even for day to day activity, your data and privacy are at risk.”

And it’s not just newer apps like TikTok that are vulnerable to attack, Vanunu added. “Even for veteran applications, they are not more or less vulnerable, but there’s potentially much more opportunity since they have so many users,” he said.

TikTok is owned by Chinese company ByteDance. The Committee on Foreign Investment in the United States says the app could pose national security concerns for Americans and possibly be used to influence or monitor them. The US Army has barred soldiers from using the TikTok app on government-owned phones, calling it a cyberthreat.

Vanunu said Check Point’s research didn’t get into whether TikTok posed any specific national security concerns but that it was not difficult to draw certain conclusions based on what it did find. “You can link the dots on what could be the implications for geopolitical cyber warfare,” he said.