TikTok, the third busiest app in 2019, is undergoing a rigorous study on user privacy, censorship of politically conflicting content and national security considerations – but it’s not the end, as the safety of billions of TikTok users will now be in the discussion.
A well-known Chinese viral video sharing application contained potentially dangerous vulnerabilities that could allow remote attackers to hack any user account simply by knowing the number of mobile victims.
In a private access report, Check Point cybersecurity researchers found that the combination of several vulnerabilities allowed them to remotely execute malicious code and perform unwanted actions on behalf of the victims without their consent to hack TikTok account of them.
Also Read: How To Do Man in the Middle Attack in Kali Linux
The vulnerabilities detected to hack TikTok account include low severity issues such as SMS spoofing, open redirection and cross-site scripting (XSS), which in combination could allow a remote user to perform powerful attacks, including:
- remove all videos from the TikTok victim profile
- Upload unauthorized videos to the TikTok victim profile
- make private “hidden” videos public
- Disclose personal information stored in your account, such as personal addresses and e-mails.
The attack uses the unsafe SMS system that TikTok offers on its website so that users can send a message to their phone number with a link to download the video-sharing application.
According to the researchers, an attacker could send an SMS message to any phone number on behalf of TikTok with a modified download URL on a malicious page designed to run the code on the target device with the TikTok application already installed.
Along with problems of open redirection and cross-site scripting, an attack can allow hackers to execute JavaScript code on behalf of the victim as soon as they click on the link sent by the TikTok server via SMS, as shown in the CheckPoint video demonstration.
This method is commonly known as cross-site request forgery attack, where attackers trick authenticated users into taking unwanted actions.
“Due to the lack of a mechanism to falsify anti-site requests, we realized that we can execute JavaScript code and perform actions on behalf of the victim without his consent,” said a blog post today.
Also Read: How To Sniff Password Using Wireshark
“Redirecting a user to a malicious website will execute the JavaScript code and send requests to Tiktok using the victims’ cookies.”
Check Point responsibly reported these vulnerabilities to ByteDance, the developer TikTok, in late November 2019, which then released a fixed version of its mobile application within a month to protect its users from hackers.
If you don’t have the latest version of TikTok available in the official app stores for Android and iOS, we recommend updating it as soon as possible.
