A serious vulnerability in Chinese video app TikTok could allow hackers to manipulate user data and reveal personal information, according to an Israel-based cybersecurity research company Check Point. The security flaw in the app's core system would have allowed hackers to gain access to TikTok accounts and carry out malicious activities, such as manipulation of user accounts and exposing the personal, private information of users.
Meanwhile, a separate flaw allowed Check Point researchers to access personal information from their user accounts through TikTok's website. The vulnerabilities were disclosed to TikTok on November 20 while the app managed to fix all the issues by December 15.
The flaws discovered and described by researchers would have allowed attackers to gain unauthorized access to TikTok accounts and manipulate their content. Attackers could also delete videos, upload new videos or make private "hidden" videos public. Attackers could also reveal users' personal information saved on the account such as private email addresses.
"Check Point Research informed TikTok developers about the vulnerabilities exposed in this research and a solution was responsibly deployed to ensure its users can safely continue using the TikTok app," Check Point said in its blog post.
Researchers further explained the way attackers could hijack TikTok accounts. SMS Link Spoofing was mainly the method that attackers probably would have employed. On the TikTok's website homepage, the app allows users to send themselves and SMS in order to receive the link to download the application.
Attackers could capture the HTTP request using a proxy tool. The Mobile parameter contains the phone number to which the SMS will be sent to and the download_url parameter is the link that will appear in the SMS message. Changing the download_url parameter would result in a spoofed SMS message that will contain the malicious link from the attacker.
Attackers using the SMS Link Spoofing vulnerability could send a custom link that contains the “URL” parameter and the request could be sent with the users’ cookies, effectively compromising the active login session. With access, an attacker could create or delete videos, retrieve personal information from the account settings, among others.