The Jan. 8 report by Israel cybersecurity firm Checkpoint found a series of flaws that could enable attackers to manipulate user content, upload and delete videos, and reveal sensitive data such as birthdates, payment information, and email addresses.
The Chinese-owned short-video sharing platform—currently under heightened scrutiny over its potential national security risks—exploded in popularity in 2019 and was one of the world’s most downloaded apps as of October. It has 26.5 million monthly active users in the United States, according to the company.
The researchers said the security issues had existed for the majority of 2019, raising “serious questions” as to whether anyone has fallen victim, according to the BBC.
Following the report’s release, Luke Deshotels, a TikTok spokesperson, said in a statement that all reported security issues identified by the firm have been fixed in the latest version of the app.
One of the loopholes, dubbed SMS link spoofing, makes it possible for attackers to send fake messages to any phone number posing as TikTok.
The texting function on the app’s homepage allows users to send themselves a text to download the app. Taking advantage of the function, hackers could send messages containing a malicious link, which would give away user access once one clicks on it, the report said.
Researchers also found a weakness in TikTok’s infrastructure that would allow attackers to reroute users to malicious sites that appear legitimate.
Through a loophole in TikTok’s ad subdomain, the researchers were able to retrieve personal information from user accounts, including date of birth.
Researchers were also able to hijack the app by injecting malicious code, allowing them to perform other functions on the victim’s behalf, including creating videos, making a private video public, and approving followers’ requests.
Oded Vanunu, the head of Checkpoint’s product vulnerability research team, told The New York Times that the vulnerabilities they identified were all “all core to TikTok’s systems.”
“Malicious actors are spending large amounts of money and putting in great effort to penetrate into such huge applications. Yet most users are under the assumption that they are protected by the app they are using,” Vanunu said in a Jan. 8 statement.
Check Point alerted ByteDance, which owns TikTok, in November, the BBC reported.
In recent months, TikTok has been embroiled in controversies over its security risks.
U.S. military branches have asked their personnel to delete the app from their government-issued phones following a Pentagon directive issued in mid-December.
The Defense Department warned about the “potential risk” of the app exposing users’ personal information.
The Committee on Foreign Investment in the United States recently opened a probe into the $1 billion acquisition of U.S. app Musical.ly by TikTok owner and Chinese tech firm ByteDance in 2017.
Multiple senators have also publicly criticized TikTok for censoring content that is potentially sensitive to the Chinese regime.
A California college student recently filed a lawsuit against TikTok, alleging that the company had created an account without her knowledge and gathered biometric information about her.
“TikTok clandestinely has vacuumed up and transferred to servers in China vast quantities of private and personally-identifiable user data that can be employed to identify, profile and track the location and activities of users in the United States now and in the future,” according to the court complaint.