Security researchers were able to identify several serious security vulnerabilities at Tiktok. This would have allowed attackers to delete videos, change privacy settings, or even tap personal information.
Security researchers from Checkpoint Research have a number of security holes discovered in the popular video app Tiktok. As early as November 2019, the Israeli company had Tiktok developer Bytedance about the vulnerabilities informed. Bytedance then closed the gaps in a software update. According to the Chinese company, there is no evidence that the vulnerabilities have been exploited by attackers.
The core of the vulnerability was a feature on the Tiktok website that allowed attackers to SMS Tiktok to their potential victims. The attacker could then have integrated his own link into the SMS. This way you could have forwarded victims to a phishing site. It was also possible to send commands to the victim's Tiktok app using this link, for example to delete or create videos on his behalf. In addition, private videos could have been converted into public videos.
Tiktok user data was also at risk
The researchers at Checkpoint Research also found a way in their tests to access sensitive user data such as email address, date of birth or payment information via the Tiktok API. There were security mechanisms that should have prevented unauthorized access to this data, but the Israeli security experts were able to override them.