From deleting videos to accepting follower requests, research released by cybersecurity research firm Check Point Research (CPR) on January 8 exposed security flaws in the popular video-sharing mobile app TikTok. CPR also mentioned that it had informed TikTok of the vulnerabilities and that TikTok had deployed solutions to all these problems. Key findings It was possible to send any message to any phone number on behalf of TikTok (SMS spoofing): TikTok's main website allows users to send an SMS message to themselves in order to download the application. Attackers could capture such a request made by a user and change parameters for their own purposes. For instance, this made it possible to send malicious links to any phone number on behalf of TikTok. Hackers could send requests on behalf of the users: CPR found that the Android version of the app has a "deep links" functionality that makes it possible to invoke intents in the app via a browser link. Attackers could use the SMS spoofing vulnerability to send links to the users which then made it possible for attackers to send requests on behalf of the user. Hackers could redirect the victim to a malicious website by sending a legitimate-looking login (SMS Spoofing) link derived from Tiktok’s domain: https://login.tiktok.com. Basically, after clicking a legitimate-looking TikTok link, a security lapse in the system allowed users to be directed to any malicious page/website that the hacker wished them to go to as long as the redirection link had "tiktok.com" as its ending. For instance, this means that…
