Israel-based cybersecurity firm Check Point Research released a report on their findings today.
The vulnerabilities they found in the app could have allowed hackers to access “hidden” videos, upload videos, delete videos, manipulate content on TikTok accounts, and reveal personal information like email addresses.
Hackers could send users a text message with a malicious link that looked like it was coming from TikTok that would have provided them the ability to take control of a user’s account. They also found that the app’s website was vulnerable to an attack where malicious scripts could be injected.
TikTok learned about Check Point’s findings on Nov. 20 and fixed the vulnerabilities by Dec. 15, according to the New York Times.
“Like many organizations, we encourage responsible security researchers to privately disclose zero-day vulnerabilities to us,” Luke Deshotels, the head of TikTok’s security team, told the Times. “Before public disclosure, Check Point agreed that all reported issues were patched in the latest version of our app. We hope that this successful resolution will encourage future collaboration with security researchers.”
The app, which is owned by China-based company ByteDance, has come under some scrutiny recently, with both the U.S. Army and the U.S. Navy banning it from government-issued phones, as they consider it a “cyber threat.”