[BreachExchange] TikTok Security Vulnerabilities Could Expose User Data

Thu Jan 9 10:06:01 EST 2020

https://www.cisomag.com/tiktok-security-vulnerabilities-could-expose-user-data/

Researchers at Check Point discovered multiple security
vulnerabilities in popular short video streaming app TikTok. According
to the researchers, the vulnerabilities could have allowed attackers
to access user accounts and expose private data including names, email
addresses, and dates of birth details.

SMS Link Spoofing Vulnerability

The first vulnerability in TikTok’s SMS functionality was dubbed as
SMS Link Spoofing. The TikTok website allows users to send a text
message to themselves with a link to download its app on their
devices. This could lead to user data exploitation for malicious
purposes.

“Attackers using the SMS Link Spoofing vulnerability can send a custom
link that contains the schemas mentioned above. Since the custom link
will contain the URL parameter, the mobile application will open a
browser window and go to the webpage written in the parameter from the
mobile application,” Check Point explained.

However, this attack requires the hacker to know the phone number of
the victim, which could be obtained via social engineering, phishing,
or from a stolen list of numbers.

Cross-Site Scripting (XSS) Vulnerability

The researchers also found that Tiktok’s subdomain,
https://ads.tiktok.com, is vulnerable to XSS attacks, where malicious
scripts are injected into trusted websites. It was found that hackers
could send a malicious link to a victim that will result in
redirecting the victim to a malicious website.

The vulnerabilities allowed hackers to:

Get hold of TikTok accounts and manipulate their content
Delete videos
Upload unauthorized videos
Make private “hidden” videos public
Reveal personal information saved on the account such as private email addresses

However, it’s unclear if the security flaws have been exploited by
attackers. Check Point stated that it notified TikTok’s parent company
ByteDance to fix the vulnerabilities and TikTok fixed the issues.

Luke Deshotels, security team member at TikTok, said, “TikTok is
committed to protecting user data. Like many organizations, we
encourage responsible security researchers to privately disclose
zero-day vulnerabilities to us. Before public disclosure, Check Point
agreed that all reported issues were patched in the latest version of
our app. We hope that this successful resolution will encourage future
collaboration with security researchers.”

In the last few months, there has been evidence of the potential risks
with TikTok. The U.S. Navy recently banned TikTok, citing
cybersecurity concerns. The authorities sent out a statement stating
that serving members of both the U.S. Navy and Army, who were using
government-issued mobile devices and had the app installed on them,
would be blocked from the Navy-Marine Corps Intranet.

Earlier, TikTok was also hit with a class-action lawsuit in the U.S.
claiming that the company surreptitiously transferred users’ data to
Chinese servers, without users’ consent. The proposed class-action
lawsuit was filed in California federal court by Misty Hong, a student
from Palo Alto.