TikTok Fixes Critical Vulnerabilities That allow Attackers to Steal Data
TikTok fixes critical vulnerabilities
TikTok fixes critical vulnerabilities

News highlights:

  1. TikTok patches critical vulnerabilities that allowed attackers to compromise an account
  2. Attackers could delete videos, create videos, make private videos public and steal sensitive financial data
  3. Exploit starts from SMS spoofing that sends a malicious link in an SMS from TikTok
  4. Clicking on the link in SMS can cause attackers to send requests on the victim’s behalf
  5. XSS attack, API calls and redirecting to a malicious website are some ways users can be compromised

In a shocking research by Check Point, TikTok’s privacy has come under suspicion that raises some essential security questions. How private is our private information, really?

How exposed are we to the threat actors out there? How safe are the most famous digital brands in the world? Well, you should read this article and these questions will be answered automatically.

The researchers found a critical vulnerability that could allow anyone with enough hacking skills to compromise a TikTok user’s account.

From deleting videos, to creating them, from stealing financial data to making private videos public, the attacks can do more harm than imagined, to someone who came to TikTok just for some fun and frolic.

What are the TikTok attacks?

As demonstrated in a video at the end of the article, the attacks start from sending a message from TikTok itself, to the target user.

When the user clicks on the link in the SMS, the attack takes place without the user’s further intervention. What is this SMS that enables such a vicious attack and why is it coming from TikTok?

TikTok has a feature that allows anyone to go on their website and send a message to themselves or anyone with a link to download TikTok.

Now, someone who knows how to use BurpSuite can play around with the HTTP request there and change some parameters which can replace the ‘app download’ link with a malicious link.

TikTok attacks

Once the attacker spoofs the user through the manipulated SMS, the TikTok app of the user will open the malicious URL and accept requests from the attacker on the user’s behalf.

How unprofessional! The SMS spoofing can also be used to redirect the victim to a fraud website, since TikTok’s redirection process contains improper validation and only checked if tiktok.com is mentioned in the parameter.

TikTok’s SMS with malicious link
TikTok’s SMS with malicious link (Image source: Check Point Research)

How the TikTok attacks function?

Using Cross Site Scripting (XSS) attack, it is possible to execute javascript on behalf of the victim through the vulnerable subdomain, https://ads.tiktok.com.
These JavaScripts can be used to send several HTTP GET requests and HTTP POST requests.

How the TikTok attacks function
Sensitive data retrieved from the API (Image source: Check Point Research)

Check out the video below to see the attack in action.

https://research.checkpoint.com/wp-content/uploads/2020/01/tiktok_video.mp4?_=1

The vulnerabilities were not only reported to the Chinese social media giant but have also been resolved by them. Make sure you are using the latest patched version of your favourite short-video platform.

We have tried to give you all the details about the news, but you can go and read the blog post by Check Point for more technical details regarding this issue.

Share the news with your TikTok friends and ask them to stay safe. Online safety isn’t a joke. Are you following the best security practices?

Make sure you are! And also, keep following our news section for updates about cyber security- the most sensitive areas of our digital lives.

Let us know your comments in the section below.

Stay tuned, stay safe.

0 Comments

Leave a reply

Your email address will not be published. Required fields are marked *

*

©2020 Tech Brewery. All Rights Reserved. Website By Amagraphs.

Forgot your details?

Create Account