TikTok Bugs Could Have Allowed Account Takeovers

The social video app TikTok has been branded a potential security threat for its ties to China—the app is owned by the Beijing-based company ByteDance—but like any piece of software it also has the potential for more immediate security concerns. Recently patched vulnerabilities in the app could have allowed an attacker to take over TikTok accounts, add or delete videos, and expose private data like user information or videos marked “hidden.”

Researchers from the security firm Check Point first disclosed the bugs to TikTok in late November, and the company patched all of them on iOS and Android by the end of December. The findings come, though, as Congress has held hearings and called for investigations in recent months over the possibility that the app poses a national security risk. And the US Army and Navy both banned the app from their devices at the end of 2019, calling it a cyber threat. All software has bugs, and a few vulnerabilities doesn’t show that TikTok is at all malicious. But the findings show that the social media app of the moment merits more scrutiny.

“The goal of our research was really to understand what is the the level of security and privacy that TikTok is providing,” says Oded Vanunu, Check Point’s head of product vulnerability research. “Once we finished the review and understood that we could easily manipulate the accounts, we said let’s stop here and share the information. We hope that now more researchers will check the app and that TikTok will increase their security validation cycle.”

The researchers noticed that TikTok offers a feature on its website for users to enter their phone numbers and receive an SMS message with a link to download the app. While analyzing this mechanism, they found that they could remotely manipulate the words in the text, as well as the download link, and send them to any phone number. From there they discovered that they could craft special links for these texts that would send commands to TikTok if a victim had already downloaded the app.

In practice, an attacker could have revamped an SMS message to target existing TikTok users, rather than just first-timers—and the texts would legitimately be coming from TikTok’s infrastructure. If a TikTok user clicked one of these malicious links, an attacker could have manipulated bugs in TikTok’s browser redirect setup and authentication mechanisms to manipulate their account—sending commands to add or delete videos, forcing the victim account to follow other accounts, making private videos public, or exfiltrating the victim’s personal account data like name and email addresses.

Vanunu says that TikTok was responsive about the disclosures and patched the issues within weeks. “TikTok is committed to protecting user data. Like many organizations, we encourage responsible security researchers to privately disclose zero day vulnerabilities to us,” Luke Deshotels, a member of the TikTok security team, said in a statement to Check Point. “We hope that this successful resolution will encourage future collaboration with security researchers.” TikTok and its parent ByteDance did not respond to a request for comment from WIRED.

Though TikTok has become increasingly popular—and increasingly scrutinized—there haven’t been many public disclosures of bugs found in the app. Most recently, at the beginning of September security researcher Melroy Bouwes published findings that both the iOS and Android versions of TikTok make certain requests over unencrypted web connections, potentially exposing this activity and some data like which videos users are watching. Bouwes first contacted TikTok in July regarding the findings and says he tried to reach the company three more times after that over two months. “I never received a reply,” he told WIRED. “I didn’t find a responsible disclosure procedure.”

TikTok has worked to promote a positive and secure image in the US to counter accusations of untrustworthiness. Last week the company released its first transparency report and today it is announcing revamped community guidelines. But the security research community has only scratched the surface, at least publicly, of what’s going on under the hood.

More Great WIRED Stories

Read More