Illustration: Aïda Amer/Axios
TikTok patched multiple holes in its security at the end of 2019 that had left the video sharing app's accounts, videos and user information potentially exposed for most of the year, as detailed in a new report from cybersecurity research firm CheckPoint.
Why it matters: No personal data was found to be compromised, but this report provides some of the first in-depth details of security risks faced by TikTok — which is under the microscope as lawmakers criticize its Chinese ownership.
- "We did prove that it was possible for a hacker to actually gain sensitive information," CheckPoint's Ekram Ahmed said, adding that the company has not yet found specific evidence of personal data breaches.
The big picture: TikTok's exposure depended on vulnerabilities in SMS text messaging that have confounded many other social media platforms and mobile services.
Details: CheckPoint found that attackers could delete a user's videos, create a video from a user's account, make private videos public, and scrape a user's sensitive information — like their email address, payment information or birthday.
- TikTok implemented fixes for these issues within 30 days of CheckPoint alerting the app in late November, spokespeople for both companies told Axios.
“TikTok is committed to protecting user data. Like many organizations, we encourage responsible security researchers to privately disclose zero day vulnerabilities to us. Before public disclosure, CheckPoint agreed that all reported issues were patched in the latest version of our app. We hope that this successful resolution will encourage future collaboration with security researchers."— Luke Deshotels, TikTok Security Team