wordpress blog stats
Connect with us

Hi, what are you looking for?

Research exposed multiple security vulnerabilities on TikTok: Report

Screenshots from TikTok App

From deleting videos to accepting follower requests, research released by cybersecurity research firm Check Point Research (CPR) on January 8 exposed security flaws in the popular video-sharing mobile app TikTok. CPR also mentioned that it had informed TikTok of the vulnerabilities and that TikTok had deployed solutions to all these problems.

Key findings

  • It was possible to send any message to any phone number on behalf of TikTok (SMS spoofing): TikTok’s main website allows users to send an SMS message to themselves in order to download the application. Attackers could capture such a request made by a user and change parameters for their own purposes. For instance, this made it possible to send malicious links to any phone number on behalf of TikTok.
  • Hackers could send requests on behalf of the users: CPR found that the Android version of the app has a “deep links” functionality that makes it possible to invoke intents in the app via a browser link. Attackers could use the SMS spoofing vulnerability to send links to the users which then made it possible for attackers to send requests on behalf of the user.
  • Hackers could redirect the victim to a malicious website by sending a legitimate-looking login (SMS Spoofing) link derived from Tiktok’s domain: https://login.tiktok.com. Basically, after clicking a legitimate-looking TikTok link, a security lapse in the system allowed users to be directed to any malicious page/website that the hacker wished them to go to as long as the redirection link had “tiktok.com” as its ending. For instance, this means that users could be directed to a website such as www.hack-attacker-tiktok.com too. This redirection opens the possibility of carrying out Cross-Site Scripting (XSS), Cross-Site Request Forgery (CSRF) and Sensitive Data Exposure attacks without user consent.
    • Tiktok’s subdomain for advertising (https://ads.tiktok.com/) is vulnerable to Cross-Site Scripting attacks. This is a type of attack in which “malicious scripts are injected into otherwise benign and trusted websites”. In secure websites, an input by the user is cleaned to make sure it contains no malicious code before the output is given to the user. This was not the case with TikTok as CPR demonstrated a vulnerability in their platform by writing a script in the search bar of their webpage which led to an alert box showing up on other users’ browsers.
  • Hackers could steal all the sensitive information of the victims by bypassing certain security mechanisms. Obtaining sensitive data was as easy as making some API calls to https://api-t.tiktok.com and https://api-m.tiktok.com subdomains. CPR was able to bypass the Cross-Origin Resource Sharing (CORS) and Same Origin Policy SOP (SOP) mechanisms to retrieve sensitive data which could then also be sent to the attackers’ server. Under SOP, a script can only access content that has the same origin, while CORS is a standardized way to enable cross-origin requests in modern browsers.

By exploiting the aforementioned vulnerabilities, it was discovered that hackers could execute JavaScript code and perform actions on behalf of the victim without their consent. Actions included:

  • Deleting videos: Attackers could delete a user’s video using an  HTTP GET request with the desired ID of the video the attacker wished to delete.
  • Creating videos: Attackers can post videos on behalf of a particular user.
  • Become a follower: Attackers can send an approval request on behalf of the victim to approve follower requests.
  • Changing a private video to a public one: An attacker can change the video privacy settings by sending an HTTP GET request on behalf of the user.

TikTok’s history with security issues

This is not the first time that TikTok has been accused of compromised security.

  • In December 2019, in a class-action lawsuit, an American college student has accused TikTok of transferring private user data to servers in China, despite TikTok owner ByteDance’s assurance that it does not store personal data there.
  • In November 2019, The United States had opened a national security review of TikTok’s parent ByteDance over its $1 billion acquisition of short video app Musical.ly. ByteDance did not seek the clearance of the Committee on Foreign Investment in the United States, which reviews foreign acquisition deals for potential national security issues. The review also stems in part from the committee’s fears that the Chinese government might have access to TikTok’s data and user profiles.

TikTok has faced similar concerns in India, multiple lawmakers have raised concerns over TikTok’s China connection, accusing TikTok of transferring Indians’ user data to Chinese servers; over cultural degradation, TikTok’s allegedly harmful effects on children, and even over its intermediary status.

You May Also Like

News

The government must direct the banned Chinese-origin apps to hand over all the data they have on Indian users, so that it is not...

News

Several months after it was banned in India, TikTok has scaled down its Indian operations, citing the government’s inaction on a clear path forward....

News

Italy’s data privacy watchdog ordered TikTok to block accounts of users in Italy whose age cannot be verified, after a 10 year old girl...

News

TikTok has announced changes to its app to better protect underage users, by limiting their public visibility and also giving users more control over...

MediaNama is the premier source of information and analysis on Technology Policy in India. More about MediaNama, and contact information, here.

© 2008-2021 Mixed Bag Media Pvt. Ltd. Developed By PixelVJ

Subscribe to our daily newsletter
Name:*
Your email address:*
Please enter all required fields Click to hide
Correct invalid entries Click to hide

© 2008-2021 Mixed Bag Media Pvt. Ltd. Developed By PixelVJ