The vulnerability could have resulted in TikTok users being sent messages containing malicious links. If clicked, attackers could take control of user accounts. Check Point also discovered a separate flaw, which allowed researchers to obtain personal information via TikTok's website.
Check Point made TikTok aware of these vulnerabilities on November 20th last year, and by December 15th they had been fixed. TikTok said in a statement that it didn't appear that the flaws were exploited in any way:
"TikTok is committed to protecting user data. Like many organizations, we encourage responsible security researchers to privately disclose zero day vulnerabilities to us. Before public disclosure, Check Point agreed that all reported issues were patched in the latest version of our app. We hope that this successful resolution will encourage future collaboration with security researchers," said Luke Deshotels, PhD, TikTok Security Team. "Following a review of customer support records, we can confirm that we have not seen any patterns that would indicate an attack or breach occurred."
As TikTok's popularity has exploded -- the app has been downloaded some 1.5 billion times worldwide -- so has scrutiny over its parent company, ByteDance. A start-up success story, the Chinese company has links to the Chinese government that have led to concerns over global national security. ByteDance was at the center of a major security review back in November (ironically, just as these flaws were being discovered), while last week the US military opted to ban the app altogether.