TiKTok vulnerabilities could allow hackers access to personal data
Multiple vulnerabilities in the popular TikTok video-sharing app and its back end could have allowed attackers to manipulate content on user accounts, and even extract confidential personal information.
Researchers at Check Point have found that an attacker could send a spoofed SMS message to a user containing a malicious link. If the user clicked on the link, the attacker was able to access the user's TikTok account and manipulate its content by deleting videos, uploading unauthorized videos, and making private or 'hidden' videos public.
TikTok is mainly popular with teenagers who use the service to create and share short video clips. Security worries surrounding the service have led to the US Navy banning the use of the application for its personnel.
The researchers also found a sub-domain vulnerable to XSS attacks that could allow the retrieval of personal information saved on user accounts, including private email addresses and birth dates.
"Data is pervasive, and our latest research shows that the most popular apps are still at risk," says Oded Vanunu, Check Point's head of product vulnerability research. "Social media applications are highly targeted for vulnerabilities as they provide a good source of personal, private data and offer a large attack surface. Malicious actors are spending large amounts of money and time to try and penetrate these hugely popular applications -- yet most users are under the assumption that they are protected by the app they are using."
Check Point Research informed ByteDance, TikTok's developer, of the vulnerabilities exposed in this research in late November 2019 and a fix was responsibly deployed within a month to ensure its users can safely continue using the TikTok app.
Luke Deshotels, of the TikTok security team says, "TikTok is committed to protecting user data. Like many organizations, we encourage responsible security researchers to privately disclose zero-day vulnerabilities to us. Before public disclosure, CheckPoint agreed that all reported issues were patched in the latest version of our app. We hope that this successful resolution will encourage future collaboration with security researchers."
You can find out more about the vulnerability on the Check Point blog.