Popular TikTok may be exploited with a spoofed SMS
Editor’s Brief: The TikTok revolution that has supplanted much of the other social media such as Facebook and Instagram in Asia, may have a darker side, where hackers may be able to exploit it with a spoofed SMS message, as revealed by Check Point Research. Read more below.
SINGAPORE — TikTok has multiple vulnerabilities that could have allowed attacks to manipulate content on user accounts and even extract confidential personal information, as revealed today by Check Point Research, the Threat Intelligence arm of Check Point® Software Technologies Ltd. (NASDAQ: CHKP), a leading global provider of cyber security solutions.
The majority of TikTok users are under the age of 18; these users are primarily teenagers and young adults who use the app to store, share, and view personal (and sometimes highly sensitive) videos of themselves and their loved ones. According to the study’s findings, an attacker can trick a user into clicking on a malicious link by sending a faked SMS message to the victim. The attacker gained access to the user’s TikTok account once they clicked the infected link, at which point they could delete movies, post new ones without permission, and make previously private videos visible to the public.
Exploitable cross-site scripting (XSS) flaws were discovered in the Tiktok subdomain ads.tiktok.com. XSS attacks include the injection of malicious scripts into otherwise legitimate and trusted websites. Researchers at Check Point exploited this flaw to access sensitive information, such as users’ email addresses and birthdays, that had been stored in user profiles.
TikTok’s developers were made aware of the flaws discovered by Check Point Research, and a patch was promptly released to address them.
“Data is pervasive but data breaches are becoming an epidemic, and our latest research shows that the most popular apps are still at risk,” said Oded Vanunu, Check Point’s Head of Product Vulnerability Research. “Social media applications are highly targeted for vulnerabilities as they provide a good source for private data and offer a good attack surface gate. Malicious actors are spending large amounts of money and putting in great effort to penetrate into such huge applications. Yet most users are under the assumption that they are protected by the app they are using.”
Luke Deshotels, PhD, TikTok Security Team: “TikTok is committed to protecting user data. Like many organisations, we encourage responsible security researchers to privately disclose zero day vulnerabilities to us. Before public disclosure, CheckPoint agreed that all reported issues were patched in the latest version of our app. We hope that this successful resolution will encourage future collaboration with security researchers.”
TikTok is one of the most popular apps out there, with over a billion users and availability in more than 150 markets and 75 languages. TikTok, a Chinese app, broke the record for most downloaded app in the United States in October of 2019.