Researchers at Check Point discovered multiple security vulnerabilities in popular short video streaming app TikTok. According to the researchers, the vulnerabilities could have allowed attackers to access user accounts and expose private data including names, email addresses, and dates of birth details.
SMS Link Spoofing Vulnerability
The first vulnerability in TikTok’s SMS functionality was dubbed as SMS Link Spoofing. The TikTok website allows users to send a text message to themselves with a link to download its app on their devices. This could lead to user data exploitation for malicious purposes.
“Attackers using the SMS Link Spoofing vulnerability can send a custom link that contains the schemas mentioned above. Since the custom link will contain the URL parameter, the mobile application will open a browser window and go to the webpage written in the parameter from the mobile application,” Check Point explained.
However, this attack requires the hacker to know the phone number of the victim, which could be obtained via social engineering, phishing, or from a stolen list of numbers.
Cross-Site Scripting (XSS) Vulnerability
The researchers also found that Tiktok’s subdomain, https://ads.tiktok.com, is vulnerable to XSS attacks, where malicious scripts are injected into trusted websites. It was found that hackers could send a malicious link to a victim that will result in redirecting the victim to a malicious website.
The vulnerabilities allowed hackers to:
- Get hold of TikTok accounts and manipulate their content
- Delete videos
- Upload unauthorized videos
- Make private “hidden” videos public
- Reveal personal information saved on the account such as private email addresses
However, it’s unclear if the security flaws have been exploited by attackers. Check Point stated that it notified TikTok’s parent company ByteDance to fix the vulnerabilities and TikTok fixed the issues.
Luke Deshotels, security team member at TikTok, said, “TikTok is committed to protecting user data. Like many organizations, we encourage responsible security researchers to privately disclose zero-day vulnerabilities to us. Before public disclosure, Check Point agreed that all reported issues were patched in the latest version of our app. We hope that this successful resolution will encourage future collaboration with security researchers.”
In the last few months, there has been evidence of the potential risks with TikTok. The U.S. Navy recently banned TikTok, citing cybersecurity concerns. The authorities sent out a statement stating that serving members of both the U.S. Navy and Army, who were using government-issued mobile devices and had the app installed on them, would be blocked from the Navy-Marine Corps Intranet.
Earlier, TikTok was also hit with a class-action lawsuit in the U.S. claiming that the company surreptitiously transferred users’ data to Chinese servers, without users’ consent. The proposed class-action lawsuit was filed in California federal court by Misty Hong, a student from Palo Alto.