Multiple security vulnerabilities found in TikTok
By Ryan Noik 10 January 2020 | Categories: newsBefore you hop onto WhatsApp or TikTok, you may want to consider whether it is actually safe to do so. The recent WhatsApp cloning scam, where cybercriminals compromised number porting to extort money from compromised devices’ contact lists, has raised questions about whether the platform is secure enough. Then, this week, Check Point Research, the threat Intelligence arm of Check Point Software Technologies Ltd. revealed that it found multiple vulnerabilities in another popular platform, TikTok.
The company elaborated that unaddressed, hackers could have used the vulnerabilities to manipulate content on user accounts and even extract confidential personal information saved on these accounts.
What makes the revelation even more disturbing is that TikTok is used mainly by teenagers and children who use the app to share, save and keep private (and sometimes very sensitive) videos of themselves and their loved ones. The research found that an attacker could send a spoofed SMS message to a user containing a malicious link. When the user clicked on the malicious link, the attacker was able to get a hold of the TikTok account and manipulate its content by deleting videos, uploading unauthorized videos, and making private or "hidden" videos public.
Add to this the fact that TikTok is available in over 150 markets and used by more than 1 billion people, and one of the most downloaded apps, and it is no surprise that it has a target on its back for hackers.
The research also found that Tiktok's subdomain https://ads.tiktok.com was vulnerable to XSS attacks, a type of attack in which malicious scripts are injected into otherwise benign and trusted websites. Check Point researchers leveraged this vulnerability to retrieve personal information saved on user accounts including private email addresses and birthdates.
Check Point Research informed TikTok developers of the vulnerabilities exposed in this research and a fix was responsibly deployed to ensure its users can safely continue using the TikTok app. It does beg the question though, as to why these highly popular platforms aren’t better secured from the get-go.
“Data is pervasive but data breeches are becoming an epidemic, and our latest research shows that the most popular apps are still at risk,” explained Oded Vanunu, Check Point’s Head of Product Vulnerability Research. “Social media applications are highly targeted for vulnerabilities as they provide a good source for private data and offer a good attack surface gate. Malicious actors are spending large amounts of money and putting in great effort to penetrate into such huge applications. Yet most users are under the assumption that they are protected by the app they are using,” he continued.
The silver lining is that TikTok has expressed interest in working collaboratively with security researchers moving forward.
“TikTok is committed to protecting user data. Like many organizations, we encourage responsible security researchers to privately disclose zero day vulnerabilities to us. Before public disclosure, CheckPoint agreed that all reported issues were patched in the latest version of our app. We hope that this successful resolution will encourage future collaboration with security researchers," commented Luke Deshotels, PhD, TikTok Security Team.
Most Read Articles
Have Your Say
What new tech or developments are you most anticipating this year?