Severe security vulnerabilities in the incredibly popular media content platform TikTok could let an attacker manipulate content, send malicious links and steal personal data, researchers at Check Point said today.
One vulnerability just requires the mobile number of a victim to start manipulating the platform in order to send malware-ridden text messages.
TikTok was founded in 2017, by Chinese-based ByteDance an internet-based media company established by former Microsoft engineer Zhang Yiming.
Last year the TikTok application reached over 500 million downloads on the Google Play store alone, making it the third most downloaded app in the first quarter of 2019. The application lets users create short music clips, dominated by lip-sync clips of 3 to 15 seconds which can then be posted onto the platform.
Check Point researchers found that it was possible to send a malicious SMS message to any phone on behalf of TikTok: the platform lets users give it their phone number, in order to get a text that starts the application’s download.
But Check Point noticed that threat actors could capture the HTTP request using the proxy tool ‘Burp Suite’. This allows a hacker to change the download_url parameter. Bu doing so, they can instead send link of the attacker’s choosing, for instance it could lead to any number of malicious websites containing malware or credential stealing pages.
Oded Vanunu Check Point’s Head of Product Vulnerability Research commented in an emailed statement that: “Data is pervasive, and our latest research shows that the most popular apps are still at risk. Social media applications are highly targeted for vulnerabilities as they provide a good source of personal, private data and offer a large attack surface. Malicious actors are spending large amounts of money and time to try and penetrate these hugely popular applications – yet most users are under the assumption that they are protected by the app they are using.”
Content from our partners
As per standard disclosure procedures Check Point alerted TikTok to the vulnerabilities within their platform. Luke Deshotels of TikTok Security Team commented in a release that: “TikTok is committed to protecting user data. Like many organizations, we encourage responsible security researchers to privately disclose zero-day vulnerabilities to us. Before public disclosure, CheckPoint agreed that all reported issues were patched in the latest version of our app. We hope that this successful resolution will encourage future collaboration with security researchers.”
TikTok Vulnerabilities
Check Point notes that the redirection process was vulnerable because of the validation regex on TikTok’s platform. On its platform they had set the redirect parameter values to anything that ended with tiktok.com.
This left a massive opening to anyone who wanted to create malicious pages that simply ended in tikitok.com, such as iamahacker-tiktok.com.
The security researchers also identified a cross-site scripting vulnerability within a subdomain of TikTok.
An ads subdomain contained a help centre for people looking to publish ads on the platform. Check Point found a search vulnerability in this centre as the “injection point of the XSS attack was found in the search functionality. When an attacker tries to perform a search, an HTTP GET request is performed to the web application server with a q parameter and the searched string as its value.”
Read More: What is TikTok?
Check Point say that this opened up several vectors of attack for them since the site had no anti-cross-site request forgery mechanism. Pushing their attacks forward Check Point state that: “We found several API calls in https://api-t.tiktok.com and https://api-m.tiktok.com subdomains. Making requests to the above-mentioned APIs will reveal sensitive information about the user including email address, birthdates and more: “We realized that we could execute JavaScript code and perform actions on behalf of the victim, without his/her consent.”
In an emailed statement to Computer Business Review a TikTok spokesperson commented that: “Following a review of customer support records, we can confirm that we have not see any patterns that would indicate an attack or breach occurred.”
With regards the extraction of sensitive personal data the platform stated that: “It is not accurate to state that users’ full names, email addresses and birthdays could have been extracted. Even in a hypothetical attack, we don’t believe that any real names could have been accessed, a view consistent with the firm’s release.”
