TEL AVIV — TikTok, the smartphone app beloved by teenagers and used by hundreds of millions of people around the world, had serious vulnerabilities that would have allowed hackers to manipulate user data and reveal personal information, according to research published Wednesday by Check Point, a cybersecurity company in Israel.
The weaknesses would have allowed attackers to send TikTok users messages that carried malicious links. Once users clicked on the links, attackers would have been able to take control of their accounts, including uploading videos or gaining access to private videos. A separate flaw allowed Check Point researchers to retrieve personal information from TikTok user accounts through the company’s website.
“The vulnerabilities we found were all core to TikTok’s systems,” said Oded Vanunu, Check Point’s head of product vulnerability research.
TikTok learned about the conclusions of Check Point’s research on Nov. 20 and said it had fixed all of the vulnerabilities by Dec. 15.
The app, whose parent company is based in Beijing, has been called “the last sunny corner on the internet.” It allows users to post short, creative videos, which can easily be shared on various apps.
It has also become a target of lawmakers and regulators who are suspicious of Chinese technology. Several branches of the United States military have barred personnel from having the app on government-issued smartphones. The vulnerabilities discovered by Check Point are likely to compound those concerns.
TikTok has exploded in popularity over the past two years, becoming a rare Chinese internet success story in the West. It has been downloaded more than 1.5 billion times, according to the data firm Sensor Tower. Near the end of 2019, the research firm said TikTok appeared to be on its way to more downloads for the year than better-known apps from Facebook, Instagram, YouTube and Snap.
But new apps like TikTok offer opportunities for hackers looking to target services that haven’t been tested through years of security research and real-world attacks. And many of its users are young and perhaps not mindful of security updates.
“TikTok is committed to protecting user data,” said Luke Deshotels, the head of TikTok’s security team.
“Like many organizations, we encourage responsible security researchers to privately disclose zero day vulnerabilities to us,” he added. “Before public disclosure, Check Point agreed that all reported issues were patched in the latest version of our app. We hope that this successful resolution will encourage future collaboration with security researchers.”
Mr. Deshotels said there was no indication in customer records that a breach or an attack had occurred.
TikTok’s parent company, ByteDance, is one of the world’s most valuable tech start-ups. But TikTok’s popularity and its roots in China, where no large corporation can thrive outside the good graces of the government, have prompted intense scrutiny of the app’s content policies and data practices.
American lawmakers have expressed concern that TikTok censors material that the Chinese government does not like and allows Beijing to collect user data. TikTok has denied both accusations. The company also says that although ByteDance’s headquarters are in Beijing, regional managers for TikTok have significant autonomy over operations.
Check Point’s intelligence unit examined how easy it would be to hack into TikTok user accounts. It found that various functions of the app, including sending video files, had security issues.
“I would expect these types of vulnerabilities in a company like TikTok, which is probably more focused on tremendous growth, and on building new features for their users, rather than security,” said Christoph Hebeisen, the head of research at Lookout, another cybersecurity company.
One vulnerability allowed attackers to use a link in TikTok’s messaging system to send users messages that appeared to come from TikTok. The Check Point researchers tested the weakness by sending themselves links with malware that let them take control of accounts, uploading content, deleting videos and making private videos public.
The researchers also found that TikTok’s site was vulnerable to a type of attack that injects malicious code into trusted websites. Check Point researchers were able to retrieve users’ personal information, including names and birth dates.
Check Point sent a summary of its findings to the Department of Homeland Security in the United States.
The Committee on Foreign Investment in the United States, a panel that reviews investment deals on national security grounds, is also looking into ByteDance’s 2017 acquisition of Musical.ly, a lip-syncing app that the company later merged into TikTok. That deal set the stage for TikTok’s rapid rise in the United States and Europe.
There are also concerns about the company’s data privacy practices. In February, the Federal Trade Commission filed a complaint against TikTok, saying it illegally collected personal information from minors. The complaint claimed that Musical.ly had violated the Children’s Online Privacy Protection Act, which requires websites and online companies to direct children under 13 to get parental consent before the companies collect personal information.
TikTok agreed to pay $5.7 million to settle the complaint and said it would abide by COPPA. TikTok is still being investigated by the British Information Commissioner’s Office to determine if it violated European privacy laws that offer special protections to minors and their data.
Ronen Bergman reported from Tel Aviv, Sheera Frenkel from San Francisco, and Raymond Zhong from Hong Kong.