- TikTok patches critical vulnerabilities that allowed attackers to compromise an account
- Attackers could delete videos, create videos, make private videos public and steal sensitive financial data
- Exploit starts from SMS spoofing that sends a malicious link in an SMS from TikTok
- Clicking on the link in SMS can cause attackers to send requests on the victim’s behalf
- XSS attack, API calls and redirecting to a malicious website are some ways users can be compromised
In a shocking research by Check Point, TikTok’s privacy has come under suspicion that raises some essential security questions. How private is our private information, really?
How exposed are we to the threat actors out there? How safe are the most famous digital brands in the world? Well, you should read this article and these questions will be answered automatically.
The researchers found a critical vulnerability that could allow anyone with enough hacking skills to compromise a TikTok user’s account.
From deleting videos, to creating them, from stealing financial data to making private videos public, the attacks can do more harm than imagined, to someone who came to TikTok just for some fun and frolic.
What are the TikTok attacks?
As demonstrated in a video at the end of the article, the attacks start from sending a message from TikTok itself, to the target user.
When the user clicks on the link in the SMS, the attack takes place without the user’s further intervention. What is this SMS that enables such a vicious attack and why is it coming from TikTok?
TikTok has a feature that allows anyone to go on their website and send a message to themselves or anyone with a link to download TikTok.
Now, someone who knows how to use BurpSuite can play around with the HTTP request there and change some parameters which can replace the ‘app download’ link with a malicious link.
Once the attacker spoofs the user through the manipulated SMS, the TikTok app of the user will open the malicious URL and accept requests from the attacker on the user’s behalf.
How unprofessional! The SMS spoofing can also be used to redirect the victim to a fraud website, since TikTok’s redirection process contains improper validation and only checked if tiktok.com is mentioned in the parameter.
How the TikTok attacks function?
- To delete a video, the attacker needs to insert the video ID in https://api-t.tiktok.com/aweme/v1/aweme/delete/?aweme_id=video_id
- To post a new video, the attacker needs to create a video and use its ID in an HTTP POST request from the victim’s behalf
- To follow the victim on TikTok, the attacker needs to send a follow request and insert his own user ID in this HTTP POST request that will approve the follow request on its own- https://api-m.tiktok.com/aweme/v1/commit/follow/request/approve
- To change the visibility of a private video of the victim into public, the attacker needs to send an HTTP GET request with the video ID https://api-m.tiktok.com/aweme/v1/aweme/modify/visibility/?aweme_id=video_id&type=1&aid=1233&mcc_mnc=42503 (type 1 in the link means the video is set to ‘public’)
- Attackers can also access user’s sensitive data (including financial data) by requesting it from the API server through an AJAX request
The vulnerabilities were not only reported to the Chinese social media giant but have also been resolved by them. Make sure you are using the latest patched version of your favourite short-video platform.
We have tried to give you all the details about the news, but you can go and read the blog post by Check Point for more technical details regarding this issue.
Share the news with your TikTok friends and ask them to stay safe. Online safety isn’t a joke. Are you following the best security practices?
Make sure you are! And also, keep following our news section for updates about cyber security- the most sensitive areas of our digital lives.
Let us know your comments in the section below.
Stay tuned, stay safe.