Check Point Research revealed that it uncovered multiple vulnerabilities in TikTok that could have allowed attacks to manipulate content on user accounts and extract confidential personal information saved on these accounts.
Teenagers and kids use TikTok app to share, save and keep private videos. TikTok, which is available in over 150 markets and used in 75 languages globally, has over 1 billion users. As of October 2019, TikTok is the most downloaded app in the United States, making it the first Chinese app to have achieved such a record.
The research found that an attacker could send spoofed SMS message to users containing a malicious link. When the user clicked on the malicious link, the attacker was able to get a hold of the TikTok account and manipulate its content by deleting videos, uploading unauthorized videos, and making private or hidden videos public.
The research also found that Tiktok’s subdomain https://ads.tiktok.com was vulnerable to XSS attacks, a type of attack in which malicious scripts are injected into otherwise benign and trusted websites.
Check Point researchers leveraged this vulnerability to retrieve personal information saved on user accounts including private email addresses and birthdates. Check Point Research is the arm of Check Point Software Technologies, a supplier of cyber security solutions.
Check Point Research informed TikTok developers of the vulnerabilities exposed in this research and a fix was responsibly deployed to ensure its users can safely continue using the TikTok app.
“Social media applications are targeted for vulnerabilities as they provide a good source for private data and offer a good attack surface gate,” Oded Vanunu, Check Point’s Head of Product Vulnerability Research, said.
Luke Deshotels at TikTok Security Team, said: “TikTok is committed to protecting user data. We encourage responsible security researchers to privately disclose zero day vulnerabilities to us. Before public disclosure, CheckPoint agreed that all reported issues were patched in the latest version of our app.”