X

TikTok flaws could have let hackers text you malware

Don't worry. They've been patched.

Laura Hautala Former Senior Writer
Laura wrote about e-commerce and Amazon, and she occasionally covered cool science topics. Previously, she broke down cybersecurity and privacy issues for CNET readers. Laura is based in Tacoma, Washington, and was into sourdough before the pandemic.
Expertise E-commerce, Amazon, earned wage access, online marketplaces, direct to consumer, unions, labor and employment, supply chain, cybersecurity, privacy, stalkerware, hacking. Credentials
  • 2022 Eddie Award for a single article in consumer technology
See full bio
Laura Hautala
2 min read
tik-tok-video

TikTok patched flaws in December that could've let hackers post from accounts, send malicious links to users and access personal information.

 James Martin/CNET

TikTok lets you share 15-second videos with your followers. It also could've left you vulnerable to hackers, according to security researchers. They identified a series of software flaws in the popular video app that opened the door to a range of attacks on users.

In research published Wednesday, cybersecurity firm Check Point said the flaws could've let hackers send legitimate-looking text messages with links to malicious software. Attackers also could've published or deleted videos, made private videos public, and accessed personal user information from their targets' accounts, such as addresses and birthdays. The researchers worked with TikTok to get the vulnerabilities patched in December.

A TikTok spokesperson confirmed the company has fixed all the flaws. The company also said there's no indication hackers abused the vulnerabilities. The spokesperson said TikTok is committed to protecting user data.

"Like many organizations, we encourage responsible security researchers to privately disclose zero day vulnerabilities to us," the company said in a statement, referring to previously unknown security holes. "We hope that this successful resolution will encourage future collaboration with security researchers."

Though some of the attacks the researchers found would've taken several steps and a great deal of research to execute, others were fairly simple. Flaws in social media, gaming and messaging platforms are highly sought after by both criminals and state actors, Check Point researcher Oded Vanunu said. Legal businesses that buy and sell vulnerabilities in major platforms are willing to pay up to $1 million for certain kinds of SMS and other text-messaging service vulnerabilities. Their customers can include government spy and law enforcement agencies around the world.

TikTok, which operates outside China but is owned by Chinese tech company ByteDance, has run into its share of controversy when it comes to the security of user data. A California user sued the company in December, alleging TikTok shares user data with the Chinese government. The US Army banned service members from using the app on government phones, after initially using the service for recruitment.

Check Point researcher Vanunu said TikTok might attract hackers targeting its youthful users, who won't necessarily notice they've been hacked or that their accounts are being used to spread more malicious software.

"They can be proxies for additional attacks," Vanunu said.