We have all heard governments arguing that TikTok is ‘stealing user data and beaming it straight back to China. And while those accusations are worrisome, so far there had been no real proof. ByteDance, TikTok’s parent company, has been trying to evade these allegations, calling them baseless. However, this new report from WSJ will make things harder for the Chinese company, which claims that TikTok used a known security flaw to track users’ MAC addresses.

The news site did an analysis into the workings of the app, and studied different versions spanning from 2018 to 2020. While it was found that the platform “wasn’t collecting an unusual amount of information for a mobile app,” a previous version caught the attention of analysts. Researchers found that until late last year, TikTok used a known security flaw to bypass Android protections that stop apps from tracking users via the MAC address of their device.

“TikTok skirted a privacy safeguard in Google’s Android operating system to collect unique identifiers from millions of mobile devices, data that allows the app to track users online without allowing them to opt out,” WSJ said.

Now, MAC addresses have been used to identify people on networks from a long time now. MAC addresses support the the hardware implementation of the network stack, and remain unchanged even if the device was to change its network. This is why these addresses are often called hardware addresses or physical addresses. Thus, one can gather a lot from the correct MAC address.

Google has contingencies in place that help secure the MAC address of users. For this, the company offers an anonymized advertising ID, as WSJ says, that users can easily reset, in contrast to MAC addressed which don’t offer the same liberty. However, TikTok managed to bypass this, and gain users’ MAC addresses. While the ‘feature’ was ‘patched’ with an update on November 18th of last year, it doesn’t absolve the platform of all blame.

That is why, the company’s clarification that “the current version of TikTok does not collect MAC addresses,” does not do much for those whose data was secretly siphoned off.

Security threats like these are what led to the platform getting banned from India, and an executive order from President Donald Trump, banning US based entities to do any transactions with Bytedance as well as WeChat. The President has also set a deadline for the parent company to sell of TikTok’s business to an American company by 15th September, after which it will be banned from the U.S. as well. Companies like Microsoft and Twitter are in talks.