A recently discovered vulnerability on the short-form video app TikTok would have allowed a cyberattacker to access user data, including phone numbers, Check Point Research found.
TikTok has since fixed the vulnerability in its “Find Friends” feature, which would have allowed potential bad actors to build a database of user information to conduct malicious cyberactivity, according to Check Point.
“Our primary motivation, this time around, was to explore the privacy of TikTok,” Check Point spokesperson Ekram Ahmed said in a statement. “We were curious if the TikTok platform could be used to gain private user data. It turns out that the answer was yes, as we were able to bypass multiple protection mechanisms of TikTok that lead to privacy violation.”
He added that the flaw Check Point researchers discovered “could have allowed an attacker to build a database of user details and their respective phone numbers.”
“An attacker with that degree of sensitive information could perform a range of malicious activities, such as spear phishing or other criminal actions,” Ahmed said.
The flaw is the second vulnerability Check Point has discovered within the TikTok app since last January, when it found one that could have given bad actors access to users’ personal information and account details and allowed attackers to act on behalf of users without their consent.
TikTok fixed that vulnerability after Check Point alerted the social media company of the issue and has since launched a program that encourages security researchers to find report security bugs to TikTok so that the company can fix them before hackers take advantage of the flaws.
“The security and privacy of the TikTok community is our highest priority, and we appreciate the work of trusted partners like Check Point in identifying potential issues so that we can resolve them before they affect users,” a TikTok spokesperson said in a statement.
The spokesperson added that TikTok continues to strengthen its “defenses” by regularly upgrading its “internal capabilities such as investing in automation defenses, and also by working with third parties.”
Check Point’s “message to TikTok users is to share the bare minimum when it comes to your personal data. Update your OS and applications to the latest versions,” Ahmed said.
Earlier this month, TikTok tightened its privacy policies for users under 18, which make up a large portion of the app’s userbase, by making accounts private by default for users between the ages of 13 and 15.
Videos from users between the ages of 16 and 17 will no longer be available to download by default unless users change their settings, and videos from users aged 15 years or younger will not be available to download. These users will also have restricted direct-messaging rules.
A tool called “family pairing,” meanwhile, lets parents link their TikTok account to their teen’s to enable content and privacy settings.
TikTok is wildly popular with teenagers and younger kids. A feature called TikTok for Younger Users offers pre-selected, “age appropriate” videos. The feature was added after TikTok’s predecessor, Musica.ly, settled FTC allegations that it illegally collected personal information from children. It also agreed to pay $5.7 million.
The former Trump administration took steps to threaten a U.S. ban on the app unless it sold its U.S. operations to U.S. companies, citing security concerns due to the app’s ownership under Chinese tech giant ByteDance.
Lawmakers expressed concerns that China could gain access to user information through the app using a 2017 national intelligence law requiring Chinese companies to disclose information to the CCP and pressured ByteDance to give Americans more control over its U.S. operations.
TikTok is engaged in negotiations with Oracle and Walmart to determine what the app’s future will look like within the U.S., but it is unclear where those negotiations currently stand under the new administration.