TikTok from ByteDance is one of the most entertaining places in social media.
The application is popular among teenagers that are using it to crate short music clips, mostly lip-sync clips of 3 to 15 seconds, and short looping videos of 3 to 60 seconds. The application allows users to share, save and keep private videos of themselves and their loved ones.
And here, the platform has fixed vulnerabilities that allowed hackers to take over anyone's account by just sending a text.
The bug was first disclosed by Israel-based security agency Check Point Research. In a blog post, the security researchers discovered multiple vulnerabilities within the TikTok application, and noted that using the exploits, bad actors could do the following:
- Get a hold of TikTok accounts and manipulate their content.
- Delete videos.
- Upload unauthorized videos.
- Make private “hidden” videos public.
- Reveal personal information saved on the account such as private email addresses.
Going through the details, the first of the discovered security flaws include SMS Link Spoofing.
"During our research we found that it is possible to send a SMS message to any phone number on behalf of TikTok," said the researchers.
On TikTok’s main website, there is a functionality that allows users to send a SMS message to themselves in order to download the application. Hackers that wanted to send a SMS message to a victim can capture the HTTP request using a proxy tool. At the Mobile parameter, the hackers can get their hands on the phone number to which the SMS will be sent to, as well as the download_url parameter for the link that would appear in the SMS message.
Here, hackers can simply change the parameter to spoof a SMS message, with the body of the message to contain whatever link the hackers desire.
Then there was the deep linking functionality, which made it possible for hackers to invoke their bad intentions in the app via a browser link.
And last, the researchers found that Tiktok’s subdomain https://ads.tiktok.com was vulnerable to XSS attacks, a type of attack in which malicious scripts are injected into otherwise benign and trusted websites.
Here, the injection point of the XSS attack was found in the search functionality. When hackers try to perform a search, an HTTP GET request would be performed to the web application server. Hackers can inject JavaScript code here.
TikTok is available in over 150 markets, used in 75 languages globally, and with over 1 billion users.
As of October 2019, TikTok is one of the world’s most downloaded apps.
While TikTok is certainly entertaining, it is just like any other platforms out there that can be riddled by flaws yet to be discovered.
According to USA Today, the U.S. Navy banned the use of TikTok for its personnel. In one The Guardian, it was quoted that Senior Democrat Chuck Schumer said that the “TikTok app poses potential national security risk”. CNet.com also reported that the U..S Army banned TikTok from use on government phones.
Fortunately, TikTok has patched the bugs, with Check Point Research informing TikTok developers about the vulnerabilities exposed in its research.
TikTok "responsibly deployed to ensure its users can safely continue using the TikTok app."
Related: How ByteDance Wants To Dominate, By Surpassing Facebook, Instagram And YouTube