TikTok, the widely popular short-form video app, is used mostly by teens to produce lip-syncing videos 3 seconds to 15 seconds in length. Loops as long as 60 seconds can be created and shared. But there have been serious questions regarding the security of the app. Back in April, after the app was the most downloaded social media title during the first quarter (#1 on Android, #2 on iOS), the Peterson Institute for International Economics called TikTok a “Huawei-sized problem.” Why? Because the app was developed by a Chinese company. The Peterson Institute’s worry was that the app can gather intelligence in the form of location and biometric data and send it to Beijing.
Senators Chuck Schumer (D-NY) and Tom Cotton (R-AR) last year requested in a letter to Joseph Macguire, the acting director of national intelligence, that TikTok be the subject of a national security investigation. The lawmakers wrote that they were concerned about who sees the personal data generated by TikTok users in the U.S. In a subsequent email, Senator Schumer wrote “apps like TikTok…may pose serious risks to millions of Americans and deserve greater scrutiny.” The New York Times published a story last November stating that the app is indeed under national security review.
Research firm finds exploits on top-ranked iOS and Android app TikTok
But there are other security issues related to the app. Today, Check Point Research published a report in which it notes that “In the last few months we have seen evidence of the potential risks embedded within the TikTok application.” The report also states that the Army has banned the use of the app on government phones after using it to try to get recruits. Check Point focuses on some serious vulnerabilities found in the TikTok app that left some gaping security holes that could have be used against users. These issues could allow a hacker to manipulate and delete the content of TikTok account holders, make private videos accessible to the public, and release account holders’ personal information such as their email address.
Check Point Research discovered that the aforementioned issues can take place when a bad actor sends a spoofed SMS to a TikTok member and makes it appear as though it came from TikTok itself. While smartphone users can send an SMS message to themselves that delivers a link allowing them to install the TikTok app, this feature can be hijacked and used to send to unsuspecting users a phony link that could lead their TikTok account to be hacked. The video that accompanies this article, produced by Check Point, shows these different security issues that TikTok users could have been subject to.
This spoofed SMS appears to come from TikTok but does not; it contains a malicious link
According to the research firm, after contacting the developer of TikTok “a solution was responsibly deployed” that allows users of the app to use it safely. In a statement, TikTok security team member Luke Deshotels said, “TikTok is committed to protecting user data. We hope that this successful resolution will encourage future collaboration with security researchers.”
The app is owned by Beijing ByteDance Technology Company and the U.S. is reportedly looking at the latter’s purchase of Musical.ly. This was an app similar to TikTok and was ultimately merged into the latter after the transaction closed. The deal is being looked at by the Committee on Foreign Investment in the United States (CFIUS). This committee examines foreign purchases of U.S. companies to make sure that there are no national security issues related to the transaction. When ByteDance made the purchase, it failed to clear it with CFIUS which is why the deal is now under review.