TikTok: A platform too big for hackers to ignore — but are users’ data safe?

• Experts had uncovered a serious TikTok vulnerability that could have exposed users to a 1-click account takeover exploit.
• TikTok also denied a breach which a threat actor claimed to have stolen 2 billion users’ data.

Viral video-sharing app TikTok, owned by China-based ByteDance, is commonly known as the most downloaded app worldwide. As of mid this year alone, the social media platform has surpassed more than 3.5 billion downloads, with more than a billion active monthly users. Inevitably, as it is the case with many other social media platforms, it makes it an enticing target for hackers and many had their guards up against TikTok. 

However, TikTok has fought back against the scrutiny — one too many times in fact. Most recently Shou Zi Chew, its chief executive, wrote directly to the US senators in July this year to “set the record straight” about the app’s data practices. Unfortunately, a month later on August 31, Microsoft announced that it discovered a “high-severity vulnerability” in the TikTok Android application, which could have “allowed attackers to compromise users’ accounts with a single click”.

“Attackers could have leveraged the vulnerability to hijack an account without users’ awareness if a targeted user simply clicked a specially crafted link. Attackers could have then accessed and modified users’ TikTok profiles and sensitive information, such as by publicizing private videos, sending messages, and uploading videos on behalf of users,”  Dimitrios Valsamaras from the Microsoft 365 Defender Research Team said in a blog posting.

While the vulnerability identified by Microsoft is a narrower issue, several other cybersecurity analysts a few days later tweeted about a purportedly a breach of an insecure server that allowed access to TikTok’s storage, which they believe contained personal user data. For starters, Troy Hunt, an Australian web security consultant, went through some of the data samples listed in the leaked files and found matches between user profiles and videos posted under those IDs.

But some details included in the leak were “publicly accessible data that could have been constructed without breach.” He did mention that it is “so far pretty inconclusive; some data matches production info, albeit publicly accessible info. Some data is junk, but it could be non-production or test data,” he posted on Twitter. “It’s a bit of a mixed bag so far.”

Similarly, “database hunter” Bob Diachenko has validated the leaked user data as real, but couldn’t provide any concrete conclusions about the origin of the data. “While there is definitely a breach, it is still work in progress to confirm the origin of data, could be a third party,” he tweeted.

According to BleepingComputer last Friday, a hacking group known as ‘AgainstTheWest’ created a topic on a hacking forum claiming to have breached both TikTok and WeChat. The user shared screenshots of an alleged database belonging to the companies, which they say was accessed on an Alibaba cloud instance containing data for both TikTok and WeChat users. To make it worse, the threat actor says the server holds 2.05 billion records in a massive 790GB database containing user data, platform statistics, software code, cookies, auth tokens, server info, and many more.

TikTok was however quick to update BleepingComputer that the claims of the company being hacked are false. The company in fact said the source code shared on hacking forums isn’t part of its platform. “This is an incorrect claim — our security team investigated this statement and determined that the code in question is completely unrelated to TikTok’s backend source code, which has never been merged with WeChat data.”

TikTok also told BleepingComputer that the leaked user data could not result from a direct scraping of its platform, as they have adequate security safeguards to prevent automated scripts from collecting user information. In a separate Hacker News forum thread, it has been suggested that the data looks like it came not from TikTok itself but rather from a third-party that integrates with TikTok for marketing or e-commerce purposes. 

As of now, it is far from clear at the moment whether third-parties have access to this type of data in the first place, let alone if one has actually been breached. So far, TikTok has not failed to come under fire for moderation and content issues, as well as its ability to influence through a powerful recommendations algorithm.

To put it into context, TikTok can gather information when you arrive on the site even if you aren’t signed up, via cookies and other trackers. Once you’ve created an account, the social network collects data about your activities and preferences based on the videos you watch. TikTok also knows the device you are using, your location, IP address, search history, the content of your messages, what you’re viewing and for how long. 

It also collects device identifiers to track your interactions with advertisers. TikTok “infers” factors such as your age range, gender and interests based on the information it has about you. In the US, TikTok can collect biometric information including face and voiceprints.

---

---

---

---