Check Point Research, the Threat Intelligence arm of Check Point® Software Technologies Ltd., a leading provider of cyber security solutions globally, has announced that they have uncovered multiple vulnerabilities in TikTok, which is said to have multiple attacks that could have manipulate content on user accounts and even extract confidential personal information saved on these accounts.
TikTok is known and used among teenagers and kids that use this app to share, save and keep private (sometimes very sensitive) videos of themselves and their loved ones. The research found that an attacker was able to send spoofed SMS message to a user attached with a malicious link. When the user clicked on the malicious link, the attacker has gained access to that TikTok account and manipulate its content such as deleting videos, uploading unauthorised videos, and making private or “hidden” videos public.
The research also found that Tiktok's subdomain https://ads.tiktok.com was vulnerable to XSS attacks, A type of attack where malicious scripts are injected into otherwise friendly and trusted website. Check Point researchers leveraged this vulnerability in order to get personal information saved on user accounts which include private email addresses and birthdates.
Check Point Research informed TikTok developers of the vulnerabilities exposed in this research and a fix was responsibly deployed to ensure its users can safely continue using the TikTok app.
“Data is pervasive, but data breaches are becoming an epidemic, and our latest research shows that the most popular apps are still at risk,” said Oded Vanunu, Check Point’s Head of Product Vulnerability Research. “Social media applications are highly targeted for vulnerabilities as they provide a good source for private data and offer a good attack surface gate. Malicious actors are spending large amounts of money and putting in great effort to penetrate into such huge applications. Yet most users are under the assumption that they are protected by the app they are using.”
Luke Deshotels, PhD, TikTok Security Team: “TikTok is committed to protecting user data. Like many organisations, we encourage responsible security researchers to privately disclose zero-day vulnerabilities to us. Before public disclosure, CheckPoint agreed that all reported issues were patched in the latest version of our app. We hope that this successful resolution will encourage future collaboration with security researchers."
Available in over 150 markets, used in 75 languages globally, and with over 1 billion users, TikTok is definitely one of the most downloaded apps around. As of October 2019, TikTok is the most downloaded app in the United States, making it the first Chinese app to have achieved such a record.