Researchers at Israeli cybersecurity firm Check Point Research exposed multiple vulnerabilities in Chinese short-video making app TikTok, The platform has over a billion users globally and nearly 300 million in India. The TikTok security flaw could let hackers steal personal information such as email addresses and sensitive videos. Also Read - TikTok owner looking at selling the app amidst national security concerns in US
The Chinese video-making platform is used mainly by teenagers and kids to share, save and keep private (and sometimes very sensitive) videos of themselves and their loved ones. “Data is pervasive but data breaches are becoming an epidemic, and our latest research shows that the most popular apps are still at risk,” Oded Vanunu, Head of Product Vulnerability Research, Check Point, said in a statement. Also Read - Popular chat app ToTok is secret spying tool of UAE government: Report
TikTok vulnerability detailed
The threat intelligence arm of Check Point Software Technologies Ltd has discovered that an attacker could send a spoofed SMS message to a user containing a malicious link. When the user clicked on the malicious link, the attacker was able to get a hold of the TikTok account. The attacker could also manipulate its content by deleting videos, uploading unauthorised videos, and making private or “hidden” videos public. Also Read - TikTok accused again of gathering, sending data to China: Report
“Social media applications are highly targeted for vulnerabilities as they provide a good source for private data and offer a good attack surface gate. Malicious actors are spending large amounts of money and putting in great effort to penetrate into such huge applications. Yet most users are under the assumption that they are protected by the app they are using,” Vanunu added.
Subdomain vulnerable too
The research also found that Tiktok’s subdomain — ads.tiktok.com — was vulnerable to XSS attacks. It is a type of attack in which malicious scripts are injected into otherwise benign and trusted websites. The researchers leveraged this vulnerability to retrieve personal information saved on user accounts including private email addresses and birthdates.
The Israeli cybersecurity firm informed TikTok developers of the vulnerabilities exposed in this research and a fix was deployed to ensure its users can safely continue using the TikTok app.
“TikTok is committed to protecting user data. Like many organizations, we encourage responsible security researchers to privately disclose zero-day vulnerabilities to us. “Before public disclosure, CheckPoint agreed that all reported issues were patched in the latest version of our app. We hope that this successful resolution will encourage future collaboration with security researchers,” said Luke Deshotels, PhD, TikTok Security Team.
Available in over 150 markets, used in 75 languages globally, and with over 1 billion users, TikTok is one of the most-downloaded apps. As of October 2019, TikTok is the most-downloaded app in the US, making it the first Chinese app to have achieved such a record.
With inputs from IANS.