A team of cybersecurity researchers discovered a flaw in TikTok that exposed personal data, such as phone numbers and profile details, to potential hackers, The Washington Times has learned.
The China-owned video app TikTok acknowledged the vulnerability but insisted it does not have reason to think user data was exposed using the problems first uncovered by Check Point Research (CPR).
Check Point Research’s team found that TikTok’s “Find Friends” feature bypassed privacy protections and made it possible for nefarious actors to harvest their data and build databases linking phone numbers and users’ profile details for future malicious cyberattacks.
Oded Vanunu, Check Point head of products vulnerabilities research, said his group previously found a security vulnerability in TikTok and wanted to learn whether the social media platform exposed users’ data. Mr. Vanunu found that TikTok did expose users’ data and said he was able to bypass “multiple protection mechanisms” used by TikTok.
“The vulnerability could have allowed an attacker to build a database of user details and their respective phone numbers. An attacker with that degree of sensitive information could perform a range of malicious activities, such as spearphishing or other criminal actions,” Mr. Vanunu said in a statement. “Our message to TikTok users is to share the bare minimum when it comes to your personal data. Update your [operating system] and applications to the latest versions.”
CPR told ByteDance, TikTok’s China-based owner, about the security vulnerability it discovered.
TikTok told The Washington Times it did have a bug in its system, but it insisted there were no indications or patterns suggesting user data was exploited by cyberattackers using the vulnerability. The company said its highest priorities are “security, privacy, and safety.”
“We appreciate the efforts of Check Point in identifying potential issues so that we can resolve them before users are impacted,” a TikTok spokesperson said in an email to The Times. “We continue to invest in strengthening our automation defenses to minimize these types of attacks.”
TikTok also said it believed only users that chose to provide their phone numbers could have been affected by any breach and that other private information ought not have been able to be collected by any attacker.
The latest flaw in TikTok’s security mechanisms comes as concerns about its data privacy protections prompted the Trump administration to attempt to banish it entirely. The Biden administration has not made clear precisely how its approach to TikTok will differ from the previous administration.