TikTok is China’s world-beating viral sensation—it is a genuine competitor to leading social media platforms like Instagram and Snapchat and kids around the world can’t get enough. But TikTok’s lightning success has taken the “grown-ups” by surprise. Last year we saw multiple warnings and an FTC fine over the risks of child data privacy and endangerment, U.S. lawmakers called for a national security inquiry and the military banned its use, citing its “cybersecurity threat.” Now a stunning new report has just exposed gaping holes in TikTok’s security, highlighting risks on the platform. Updates have been rushed out, but the issue for TikTok is that this will fuel its detractors.
In their new report, researchers at the cybersecurity firm Check Point have published details of multiple vulnerabilities found in TikTok’s architecture, in how it manages its communications with its more than one billion users across 150 countries. The issues were disclosed and fixed, but they were serious and that should not be overlooked. The irony for TikTok is that this has nothing to do with its Chinese origins and everything to do with its global popularity. The technical specifics are less important that the sheer number of devices on which it is installed.
“This vulnerability is very severe,” Check Point’s lead researcher Oded Vanunu tells me, “it could trick any user on the TikTok network.” With an understanding of threat tactics, he explains, “bad actors can use social media to distribute malicious activity—because the usage is so high, it is an easy gate to penetrate an asset.”
So why is this so dangerous? It goes to the biggest challenge in mounting a cyber attack on specific devices or a wider campaign. How do I encourage users to download and install my threat? I can use social engineering, tailoring the delivery message and platform to trick my targets. I can launch a viral app and send a link, hoping they take the bait. But, most powerfully of all, I can have the message containing the threat sent from someone the target knows, someone they trust.
“Offensive parties can use this as a channel to distribute malware,” Vanunu says, “the chance a user will click is much higher. From the offensive side, a vulnerability on a huge platform can be used for many attacks. It’s a backdoor onto every device.”
Central to Check Point’s findings was a gaping security hole that would enable a malicious actor to communicate with any TikTok user by spoofing an SMS message that would seem to come from the platform. By manipulating an option for a user to SMS themselves a link to the app, an attacker could send a different link to a different user. That exploit opened up risks on the TikTok platform—data access, becoming a user’s follower without their permission, publishing private images, but it also allowed a malicious link to be sent to a TikTok user that would trigger an unrelated attack.
According to Vanunu, Check Point probes for weaknesses in major platforms precisely because of this risk. “We have seen the attack price for a vulnerability reach $1m,” he explains, using the alleged NSO Pegasus attack on WhatsApp users to emphasise the value in successfully breaching a mainstream messaging platform. “We continue to see these platforms as an access point for malicious actors.”
In terms of this specific risk, it is frighteningly simple and should never have slipped through security testing. “We found multiple vulnerabilities that allowed malicious actors easily to exploit TikTok’s SMS messaging. We spoofed those messages. I can send a TikTok message to any users and add a URL link from TikTok—any user who gets the message and clicks the link can be manipulated.”
A TikTok spokesperson confirmed the issue to me, emphasising that it was fixed as soon as Check Point privately disclosed it to them. In a statement, the company’s security team told me “TikTok is committed to protecting user data. Like many organizations, we encourage responsible security researchers to privately disclose zero day vulnerabilities to us. Before public disclosure, CheckPoint agreed that all reported issues were patched in the latest version of our app. We hope that this successful resolution will encourage future collaboration with security researchers.”
Check Point has published full details of the now-patched vulnerabilities. Most sit server side, and so users are now protected from the gravest risks. For now. And that’s the key point here. The specifics of the vulnerabilities are less critical than the glaring issue that has been uncovered. Just as we saw with a serious WhatsApp vulnerability flushed out by the same team last month: an attack vector that provides access to hundreds of millions of devices is an exceptionally potent cyber weapon.
The ubiquity of apps such as TikTok, WhatsApp, Instagram and Facebook, the fact that each is a messaging or communications platform at heart, opens universal attack vectors that should not be available. Put simply, if I want to mount a cyber attack on a target, I can pretty much guarantee that the target will have some if not all of the most common social media platforms on their device. If I can find a vulnerability in one of those platforms, I can attack that device. This was the crux of the WhatsApp NSO spyware issue last year, it is a core feature of China’s mass scale attacks on devices.
TikTok’s parent, China’s ByteDance has now become one of the most valuable unicorns on the planet. Despite any security concerns, TikTok has set all kinds of records for downloads and installs for a Chinese app in the west. “Regardless of whether it’s Chinese or not,” Vanunu tells me, “this was an easy way for us to get to the user data. We did not focus on the Chinese link. We just put things on the table.”
Platform security is borderless. This is application good housekeeping—critical testing, not rushing out functionality. And that remains an issue. “The attack vectors were closed,” Vanunu confirms, “but every update introduces potential new vulnerabilities. This is not something that is going to end, given the complexity of the infrastructure.”
Check Point’s advice when it comes to social media and messaging platforms is simple: “Make sure those apps update automatically—they’re fixing issues all of the time.” Beyond that, Vanunu warns that “it is a race between good and bad. Malicious actors are spending huge resources to find vulnerabilities on these platforms, while on the other side, the good guys need to catch those and raise awareness.”