Security researchers at Check Point informed the developer ByteDance back in November about some serious problems on the video-sharing platform TikTok. Initially popular in Asian countries, the short video creation platform has experienced huge growth in recent years and now has 1.5 billion downloads.
The flaws could have let hackers add or delete videos, change privacy settings and also steal personal data. But they are now fixed! TikTok announced they had been doing the fixes, and also thanked the firm for alerting them on the matter.
"Like many organisations, we encourage responsible security researchers to privately disclose zero-day vulnerabilities to us," it said in a statement.
"Before public disclosure, Check Point agreed that all reported issues were patched in the latest version of our app. We hope that this successful resolution will encourage further collaboration with security researchers."
A zero-day vulnerability refers to a security flaw that has not been previously disclosed.
Check Point added that the vulnerability was in place for most of 2019, and said this raised "serious questions" about whether any hacker had discovered it.
It said that ByteDance had "responsibly deployed" a solution within a month of it being told about the problem.
Much of the issue lay in the way that TikTok handled users' mobile phone numbers, which people must provide when they register for the app.
Check Point discovered that hackers could access these numbers and send texts on behalf of TikTok. In turn that allowed a hacker to:
- delete videos, change settings on them from private to public or upload unauthorised videos
- force a TikTok user on to a web server controlled by the hacker, making it possible for the attacker to send unwanted requests on behalf of the user
- redirect users to a malicious website masquerading as TikTok
Pretty serious, you see? The security consultant was happy to contribute on making the platform safe, because of the many questions concerning the security of the platform.