Researchers from Check Point have discovered that TikTok was carrying a vulnerability that enabled malicious actors to send malware to the users of the app. Called “SMS Link Spoofing”, this attack is based on the platform's capability to send an SMS to someone for the purpose of downloading the app. An attacker would capture the HTTP request using a proxy tool, change the “download_url” parameter in the SMS message, and send a malware payload to the victim’s device instead of the TikTok app. The researchers have demonstrated various ways to exploit this attack method and spoof the request with the users’ cookies when the browser was opened.
When the victim is redirected to the malicious website, the actors could decide among cross-site scripting (XSS), Cross-Site Request Forgery (CSRF), or Sensitive Data Exposure (email addresses and birth dates) attacks without the victim having to take any additional action. Other exploits include the changing of videos from being private to being public, or the deletion of user videos. Since there’s no validation of the redirection URL taking place in the app, the trick will work as long as the hacker uses a domain that ends with “tiktok.com”. Not all of the exploit methods from then on are of the same complexity, or of equal criticality, but the step to initiate them is fairly simple.
TikTok is a very popular video snippet creation and sharing platform, counting over 1 billion users from 150 countries, so any security issue in it has the potential to affect a large number of people. TikTok is created by a Chinese company named “Byte Dance”, and which has raised worries about what it does with the user data it collects. Some have called TikTok a national security risk, and the US army has banned its use from its personnel.
Although the flaw described above could wreak havoc in the humongous community, the researchers and Byte Dance both confirm that it has already been fixed. Check Point alerted TikTok’s engineers back in December, and they patched the vulnerability almost immediately. Whether or not this flaw was discovered by spy agencies or other hackers remains unknown and there’s no way to determine this. As researcher Oded Vanunu points out, some organizations pay more than $1 million for this type of attacks against such widely used tools, so chances are that someone was already exploiting the flaw.
Are you part of TikTok’s community, or do you prefer that your data aren’t stored in Chinese servers? Let us know where you stand in the comments down below, or on our socials, on Facebook and Twitter.