TikTok is an enticing target for hackers
TikTok, the short-video sensation that’s among the world’s most downloaded apps, is coming under increased scrutiny over its data security as it guards the personal information of more than a billion users.
Last week, several cybersecurity analysts tweeted about the discovery of what was purportedly a breach of an insecure server that allowed access to TikTok’s storage, which they believe contained personal user data. Only days earlier, Microsoft Corp. said it had found a “high-severity vulnerability” in TikTok’s Android application, “which would have allowed attackers to compromise users’ accounts with a single click.”
ByteDance Ltd.’s TikTok surpassed a billion monthly users a year ago and now ranks as many young people’s favorite app. That makes it an enticing target for hackers who may seek to hijack popular accounts or sell sensitive information. It was identified as a privacy threat by the Trump administration in 2020 and nearly banned because of concern about potential links between its Beijing-based parent company and the Chinese government.
The pandemic was a great time to be a tech worker, as business boomed, working remotely became standard and perks flowed like water. Now, things look less certain.
TikTok said the claims of a breach discovered over the weekend were incorrect. “Our security team investigated this statement and determined that the code in question is completely unrelated to TikTok’s back-end source code,” a spokesperson said.
Troy Hunt, an Australian web security consultant, went through some of the data samples listed in the leaked files and found matches between user profiles and videos posted under those IDs. But some details included in the leak were “publicly accessible data that could have been constructed without breach.”
“This is so far pretty inconclusive; some data matches production info, albeit publicly accessible info. Some data is junk, but it could be non-production or test data,” he posted on Twitter. “It’s a bit of a mixed bag so far.”
The vulnerability identified by Microsoft is a narrower issue that could have affected phones running the Android operating system. It may have allowed attackers to access and modify “TikTok profiles and sensitive information, such as by publicizing private videos, sending messages and uploading videos on behalf of users,” wrote Dimitrios Valsamaras from the Microsoft 365 Defender Research Team.
A TikTok spokesperson said the company had responded quickly to Microsoft’s findings and fixed the security flaw, which was found “in some older versions of the Android app.”
However inconclusive or small the issues may be, there will be intense focus on TikTok and its parent firm at a time when the U.S. may step up its measures against businesses with links to China. In June, nine U.S. senators wrote a public letter to TikTok’s chief executive asking him to explain alleged security breaches.
President Biden is expected to sign an executive order that would restrict U.S. investment in Chinese tech companies, and a separate action targeting TikTok is a possibility, with the administration paying close attention to whether the Chinese government has access to American customer data. The company has told U.S. lawmakers that it has taken steps to protect those data through a contract with Oracle Corp.
“There’s a lot of attention on the way TikTok operates and there’s a big gap between how it operates and how it says it operates,” said Robert Potter, co-CEO of Australian-U.S. cybersecurity firm Internet 2.0 Inc.
In July, Potter’s team said in a report that it had found “excessive data harvesting” carried out by TikTok on users’ devices, that the app checks device location at least once an hour and it has code that collects serial numbers for both the device and the SIM card.
The report received wide attention in Australia, and Clare O’Neil, the new minister for home affairs, announced Monday that she has ordered her department to investigate what data TikTok acquires and who can access it.
“We’ve got this basic problem here where we’ve got technology companies that are based in countries with a more authoritarian approach to the private sector,” O’Neil said in emailed remarks. “TikTok is not the beginning and the end of this. It’s one of the very large number of issues that’s given rise to by these very dominant technology companies and the role they are playing in our lives.”
— With assistance from Bloomberg writer Zheping Huang.