TikTok is used mainly by teenagers and kids, who use this app to share, save and keep private (and sometimes very sensitive) videos of themselves and their loved ones.
Researchers at Check Point recently found multiple vulnerabilities on the TikTok application and its backend, proving that one of the world’s fastest-growing applications was, indeed, unsafe from hacker exploitation. The revelation came as the United States military banned soldiers from using TikTok on government phones last week, deeming it a “cyber threat”. In addition, Check Point Research revealed that TikTok’s SMS system could be used to distribute and trigger these vulnerabilities, which include:
1. Uploading unauthorized videos and deleting videos
2. Moving a user’s videos from private to public
3. Extracting sensitive personal data, such as full name, email address and birthday
To download TikTok, a new user receives a download link via SMS from TikTok by visiting Tiktok.com and entering-in their phone number.
The research found that an attacker could send a spoofed SMS message to a user containing a malicious link. When the user clicked on the malicious link, the attacker was able to get a hold of the TikTok account and manipulate its content by deleting videos, uploading unauthorized videos, and making private or “hidden” videos public.
The research also found that Tiktok’s subdomain https://ads.tiktok.com was vulnerable to XSS attacks, a type of attack in which malicious scripts are injected into otherwise benign and trusted websites. Check Point researchers leveraged this vulnerability to retrieve personal information saved on user accounts including private email addresses and birthdates.
Check Point researchers learned that a hacker can force a TikTok user onto a web server controlled by the hacker, making it possible for the attacker to send unwanted requests on behalf of the user.
Check Point Research informed ByteDance, the developer of TikTok, about these vulnerabilities late November 2019, and a solution was deployed within a month to ensure TikTok users can safely continue to use the application.
“Data is pervasive but data breaches are becoming an epidemic, and our latest research shows that the most popular apps are still at risk,” says Oded Vanunu, Check Point’s head of product vulnerability research. “Social media applications are highly targeted for vulnerabilities as they provide a good source for private data and offer a good attack surface gate. Malicious actors are spending large amounts of money and putting in great effort to penetrate into such huge applications. Yet most users are under the assumption that they are protected by the app they are using.”
Luke Deshotels of TikTok’s security team says: “TikTok is committed to protecting user data. Like many organisations, we encourage responsible security researchers to privately disclose zero day vulnerabilities to us. Before public disclosure, Check Point agreed that all reported issues were patched in the latest version of our app. We hope that this successful resolution will encourage future collaboration with security researchers.”
Available in over 150 markets, used in 75 languages globally, and with over 1-billion users, TikTok is one of the most downloaded apps of the past year. As of October 2019, TikTok was the most downloaded app of the year in the United States, making it the first Chinese app to have achieved such a record.
More information on the research is available on the Check Point Research blog.