TikTok has been in the news lately for all the wrong reasons. Take for example the ban imposed by US Army, preventing soldiers from using the viral app on government-issued phones citing security concerns. Now, Check Point research has reported multiple vulnerabilities in the TikTok app that could allow hackers to gain control of a user account and manipulate its content, erase videos, change the privacy status, and do a lot more damage. Thankfully, the vulnerabilities in TikTok have now been fixed. While most of the fixes were on the back-end, users are recommended to update their apps to the latest version to be on the safe side.
Check Point Research mentions in its blog post that it was possible to send an SMS message to a mobile number on behalf of TikTok. This functionality is available on the official TikTok website to let users download the app. However, hackers can capture HTTP request using a proxy tool and spoof a message that can contain any harmful link the malicious party intends to send. The link in question can then redirect users to a malicious website, and this was made possible because the redirection process was found to be vulnerable. This further opens the possibility of launching Cross-Site Scripting (XSS), Cross-Site Request Forgery (CSRF), and Sensitive Data Exposure attacks.
Once this happens, the attacker can take advantage of multiple intermediary techniques to become a follower of the victim and wreak havoc. The possible damage scenarios include deleting someone's TikTok videos, upload unauthorised clips, make ‘private' videos public, and even expose sensitive personal information associated with a TikTok account such as the linked email address, birth dates, payment details, and more. It is essentially equivalent to having a complete account takeover. Thankfully, Check Point Research notified TikTok about the vulnerability and the flaw was fixed before the findings were made public.
The security experts at Check Point Research also discovered that a TikTok subdomain (https://ads.tiktok.com) was vulnerable to XSS attacks, which could allow hackers to inject malicious scripts in trusted websites. In the case of TikTok, the injection point for launching an XSS attack was found in the search functionality. The Check Point Research blog post also notes that TikTok employed an unconventional JSONP callback that makes it possible to request data from API servers without CORS and SOP restrictions, which made it possible to steal data by initiating an AJAX request.
“TikTok is committed to protecting user data. Like many organisations, we encourage responsible security researchers to privately disclose zero day vulnerabilities to us. Before public disclosure, CheckPoint agreed that all reported issues were patched in the latest version of our app. We hope that this successful resolution will encourage future collaboration with security researchers,” Luke Deshotels from TikTok Security Team's was quoted as saying in Check Point Research' press release.