Personal information such as private addresses and email addresses were vulnerable to exposure in one the world’s most trending apps
Check Point Research revealed today that it uncovered multiple vulnerabilities in TikTok which could have allowed attackers to manipulate content on user accounts, and even extract confidential personal information saved on these accounts.
TikTok is used mainly by teenagers and kids to share, save and keep private (and sometimes very sensitive) videos of themselves and friends. The research found that an attacker could send a spoofed SMS message to a user containing a malicious link. If the user clicked on the malicious link, the attacker was able to access the user’s TikTok account and manipulate its content by deleting videos, uploading unauthorized videos, and making private or “hidden” videos public.
The research also found that Tiktok’s subdomain (https://ads.tiktok.com) was vulnerable to XSS attacks, a type of attack in which malicious scripts are injected into otherwise benign and trusted websites. Check Point researchers leveraged this vulnerability to retrieve personal information saved on user accounts including private email addresses and birthdates.
Check Point Research informed ByteDance, TikTok’s developer of the vulnerabilities exposed in this research in late November 2019 and a fix was responsibly deployed within a month to ensure its users can safely continue using the TikTok app.
“Data is pervasive, and our latest research shows that the most popular apps are still at risk,” said Oded Vanunu, Check Point’s Head of Product Vulnerability Research. “Social media applications are highly targeted for vulnerabilities as they provide a good source of personal, private data and offer a large attack surface. Malicious actors are spending large amounts of money and time to try and penetrate these hugely popular applications – yet most users are under the assumption that they are protected by the app they are using.”
Luke Deshotels, PhD, TikTok Security Team said: “TikTok is committed to protecting user data. Like many organizations, we encourage responsible security researchers to privately disclose zero-day vulnerabilities to us. Before public disclosure, CheckPoint agreed that all reported issues were patched in the latest version of our app. We hope that this successful resolution will encourage future collaboration with security researchers.”
How the vulnerabilities worked: TikTok’s SMS infrastructure
To download the TikTok app, a new user receives a download link via SMS from TikTok by visiting Tiktok.com and entering their phone number. Check Point researchers revealed that a hacker can manipulate and send text messages to any phone number on behalf of TikTok.
By impersonating TikTok via text, a hacker is enabled to inject and execute malicious code to perform unwanted actions, such as deleting videos, uploading unauthorized video, and moving videos from ‘private’ to ‘public’ status. Check Point researchers also found that a hacker can force a TikTok user onto a web server controlled by the hacker, making it possible for the attacker to send unwanted requests on behalf of the user.
A hacker could also use the same technique to redirect a victim to a malicious website under the guise of tiktok.com. The redirection opens the possibility of accomplishing Cross-Site Request Forgery (CSRF), Cross-Site Scripting (XSS), and Sensitive Data Exposure attacks without user consent.
Available in over 150 markets, used in 75 languages globally, and with over 1 billion users, TikTok is currently one of the most popular apps: in October 2019, TikTok was the most downloaded app in the United States.