Check Point experts found many issues in one of the world’s most popular applications, TikTok. Recently researchers hacked TikTok app using sms.
TikTok is available in more than 150 markets, is used in 75 languages worldwide and has more than 1 billion users. In October 2019, TikTok was called one of the most downloaded applications in the world.
Teenagers and children mainly use the application to create short music videos.
“In the last few months we have seen evidence of the potential risks embedded within the TikTok application, and this has been acknowledged as well by others in the industry. According to USA Today, the US Navy banned the use of the application for its personnel, while in an article by The Guardian, Senior Democrat Chuck Schumer says that the “TikTok app poses potential national security risk”. In addition, the New York Times has published that TikTok is under national security review. Most recently, CNet.com reported that the US Army banned TikTok from use on government phones, reversing its policy on the entertainment app, which it recently used as a recruiting tool”, — write Check Point specialists.
So, knowing the victim’s phone number, attackers could manipulate other people’s accounts and gain access to personal data. In fact, combining several vulnerabilities allowed remote execution of malicious code and undesirable actions on behalf of the victims and without their consent.
Separately, all detected vulnerabilities had a low level of danger and were associated with spoofing links in SMS messages, open redirects, and XSS.
However, in combination, these bugs allowed the remote attacker to perform the following actions:
- Remove any videos from the victim’s profile;
- Upload unauthorized videos to your victims profile;
- Make private “hidden” videos public;
- Disclose personal information stored in the account, including addresses and email’s.
To perform an attack, specialists used the unsafe SMS-sending system that TikTok offers on its website: users could send a message to their phone number and get a link to download the application.
“As it turned out, the attacker could send an SMS message on behalf of TikTok to any number by placing in this message a special URL leading to a malicious page designed to execute code on a device with the TikTok application already installed”, – say in Check Point.
In combination with problems of open redirects and cross-site scripting, the attack allowed executing JavaScript code on behalf of the victim, immediately after users clicked on the link received via SMS.
A video demonstration of the attack can be seen below.
Check Point notified ByteDance, the developer of TikTok, about these vulnerabilities at the end of November 2019, and a month later the developers released patches, fixing all the problems found.
Only recently was reported told that the ToTok Arab messenger turned out to be a project of the UAE special services for total surveillance of its citizens and beyond. What kind of “tok” curse is this? Say suspicious to any application with the word “Tok” in its name.