The app is hugely popular in Ireland.
Cybersecurity research firm Check Point Research has said it found “multiple vulnerabilities” within the video sharing app TikTok.
The smartphone app, loved by teenagers and young people, boasts hundreds of millions of users worldwide but had serious vulnerabilities that would have allowed hackers to manipulate user data and reveal personal information.
Researchers from Check Point established TikTok uses a feature on its website for users to enter their phone number and receive a SMS with a link to download their app.
Check Point established it was possible to spoof text messages to make them appear to be from TikTok. You might think this is an easy scam to avoid, and everyone would know not to click on such a link. But, the texts would legitimately be coming from TikTok infrastructure, they would just have a different link to a regular TikTok message.
Once users click on the link, hackers would have been able to access parts of the user’s TikTok account including the ability to upload and delete videos as well as changing settings on their account.
The cybersecurity firm also found TikTok’s infrastructure would have allowed hackers to redirect a hacked user to a website which mirrored TikTok’s homepage. Combined with other hacking methods, this could have allowed for more attacks on the user’s TikTok account.
Due to vulnerabilities on the TikTok website, Check Point researchers were able to reveal sensitive information about the user including email address, payment information and birthdates.
The company notified TikTok of the security concerns on 20 November 2019 and all reported issues were patched by TikTok in an update on 15 December last year.
Luke Deshotels, the head of TikTok’s security team, told The New York Times that there was “no indication” that anyone had exploited the security flaws while they existed.
TikTok is hugely popular among young people and allows users to post short, creative videos which can be shared on a variety of social media apps. The app is owned by Chinese company ByteDance.
However, in recent months the app has come under the spotlight in the US over security concerns. The US Army has banned the app from government phone over security concerns, after initially using the app as a recruitment tool.
“It is considered a cyber threat,” Army spokesperson Robin Ochoa told Military.com at the time. “We do not allow it on government phones.”