Data Security

TikTok vulnerability allowed hackers to send SMS with malware

The vulnerability has been patched.

Cited as a threat against even the giant looming figure of Facebook, Tiktok app has taken the world by storm. At the same time, it has also come under fire for being unproductive and a bad influence to a degree that recently US military had to ban TikTok over privacy concerns.

However, even more, is its association with the Chinese government inviting “spyware” allegations. While these may or may not be true, recently with the help of Checkpoint, the app was found to have several vulnerabilities that now have been fixed thankfully.

According to Checkpoint’s blog post, the research firm disclosed them to the platform’s parent company ByteDance who rolled out an update quickly to patch them.

 



Delving into these, the first one was in its SMS functionality. Tiktok’s website allows users to send themselves a text message with a link to download the app.

While this is surely convenient, it could become the opposite if an attacker knows your phone number, a possibility not difficult to imagine with the amount of open-source intelligence available today

Using that, the attacker could edit the download link URL parameter as shown in the image below and send a spoofed message containing a malicious link instead.

Spoofed SMS with a link sent by the attacker (left) – Download_url parameter in the text (Image credit: Checkpoint)

Secondly, Tiktok has an ads subdomain that was found vulnerable to Cross-Site Scripting (XSS). This essentially translates to the fact that users could experience malicious scripts from a domain that they believe is trustworthy and hence end up getting compromised.


An example of this is found in the search functionality features of this specific subdomain. By entering harmful scripts in place of legitimate search results, the user could be manipulated to take actions such as deleting their own content or even posting sensitive content.

Furthermore, confidential data such as your payment information &  date of birth can also be obtained by such malware, the latter may seem innocuous but can be a crucial aid for long term social engineering.

Simply put, an attacker could perform the following malicious actions by exploiting TikTok vulnerabilities.

  • Get hold of TikTok accounts and manipulate their content 
  • Upload unauthorized videos
  • Delete videos
  • Make private “hidden” videos public
  • Reveal personal information saved on the account such as private email addresses



The takeaway from this is that no platform is vulnerability-proof. While this indeed does seem like common sense, the majority of us forget so when using these platforms and allow information to flow through them unfiltered. Hence, it is important that we keep any of our “online information” to a minimum.

If you regularly make payments online, start with removing that payment information once done. Such simple precautions can go a long way eventually towards your security.

Comments
To Top

Pin It on Pinterest

Share This