TikTok says that it has fixed a number of vulnerabilities uncovered by cybersecurity research firm Check Point that could have enabled bad actors to manipulate users’ content as well as to pilfer personal data.
According to The New York Times, one weakness would have enabled TikTokkers to send messages to other users with malicious links that, once clicked, enabled attackers to gain control of accounts — including posting and deleting content. Another security vulnerability enabled Check Point to get personal information about users through the company’s website, including their names and birth dates. Check Point sent these findings to the U.S. Department Of Homeland Security.
TikTok learned of the flaws on Nov. 20, per the Times, and claimed to have repaired them by Dec. 15 — long before they were made public. The company also stated that no breaches had actually occurred.
Nevertheless, it’s not exactly a point of encouragement for the app, which is currently the subject of a U.S. national security probe amid concerns that it censors content in accordance with the Chinese government (TikTok is owned by Chinese internet giant ByteDance) and mining data from underage users. In testament to these concerns, the U.S. Army recently barred the app from government-owned smartphones.
“TikTok is committed to protecting user data,” Luke Deshotels, the head of TikTok’s security team, told the Times. “Like many organizations, we encourage responsible security researchers to privately disclose zero day vulnerabilities to us. Before public disclosure, Check Point agreed that all reported issues were patched in the latest version of our app. We hope that this successful resolution will encourage future collaboration with security researchers.”