From deleting videos to accepting follower requests, research released by cybersecurity research firm Check Point Research (CPR) on January 8 exposed security flaws in the popular video-sharing mobile app TikTok. CPR also mentioned that it had informed TikTok of the vulnerabilities and that TikTok had deployed solutions to all these problems.

Key findings

  • It was possible to send any message to any phone number on behalf of TikTok (SMS spoofing): TikTok’s main website allows users to send an SMS message to themselves in order to download the application. Attackers could capture such a request made by a user and change parameters for their own purposes. For instance, this made it possible to send malicious links to any phone number on behalf of TikTok.
  • Hackers could send requests on behalf of the users: CPR found that the Android version of the app has a “deep links” functionality that makes it possible to invoke intents in the app via a browser link. Attackers could use the SMS spoofing vulnerability to send links to the users which then made it possible for attackers to send requests on behalf of the user.
  • Hackers could redirect the victim to a malicious website by sending a legitimate-looking login (SMS Spoofing) link derived from Tiktok’s domain: https://login.tiktok.com. Basically, after clicking a legitimate-looking TikTok link, a security lapse in the system allowed users to be directed to any malicious page/website that the hacker wished them to go to as long as the redirection link had “tiktok.com” as its ending. For instance, this means that users could be directed to a website such as www.hack-attacker-tiktok.com too. This redirection opens the possibility of carrying out Cross-Site Scripting (XSS), Cross-Site Request Forgery (CSRF) and Sensitive Data Exposure attacks without user consent.
    • Tiktok’s subdomain for advertising (https://ads.tiktok.com/) is vulnerable to Cross-Site Scripting attacks. This is a type of attack in which “malicious scripts are injected into otherwise benign and trusted websites”. In secure websites, an input by the user is cleaned to make sure it contains no malicious code before the output is given to the user. This was not the case with TikTok as CPR demonstrated a vulnerability in their platform by writing a script in the search bar of their webpage which led to an alert box showing up on other users’ browsers.
  • Hackers could steal all the sensitive information of the victims by bypassing certain security mechanisms. Obtaining sensitive data was as easy as making some API calls to https://api-t.tiktok.com and https://api-m.tiktok.com subdomains. CPR was able to bypass the Cross-Origin Resource Sharing (CORS) and Same Origin Policy SOP (SOP) mechanisms to retrieve sensitive data which could then also be sent to the attackers’ server. Under SOP, a script can only access content that has the same origin, while CORS is a standardized way to enable cross-origin requests in modern browsers.

By exploiting the aforementioned vulnerabilities, it was discovered that hackers could execute JavaScript code and perform actions on behalf of the victim without their consent. Actions included:

  • Deleting videos: Attackers could delete a user’s video using an  HTTP GET request with the desired ID of the video the attacker wished to delete.
  • Creating videos: Attackers can post videos on behalf of a particular user.
  • Become a follower: Attackers can send an approval request on behalf of the victim to approve follower requests.
  • Changing a private video to a public one: An attacker can change the video privacy settings by sending an HTTP GET request on behalf of the user.

TikTok’s history with security issues

This is not the first time that TikTok has been accused of compromised security.

  • In December 2019, in a class-action lawsuit, an American college student has accused TikTok of transferring private user data to servers in China, despite TikTok owner ByteDance’s assurance that it does not store personal data there.
  • In November 2019, The United States had opened a national security review of TikTok’s parent ByteDance over its $1 billion acquisition of short video app Musical.ly. ByteDance did not seek the clearance of the Committee on Foreign Investment in the United States, which reviews foreign acquisition deals for potential national security issues. The review also stems in part from the committee’s fears that the Chinese government might have access to TikTok’s data and user profiles.

TikTok has faced similar concerns in India, multiple lawmakers have raised concerns over TikTok’s China connection, accusing TikTok of transferring Indians’ user data to Chinese servers; over cultural degradation, TikTok’s allegedly harmful effects on children, and even over its intermediary status.