TikTok has been in the news lately for all the wrong reasons. Take for example the ban imposed by US Army, preventing soldiers from using the viral app on government-issued phones citing security concerns. Now, Check Point research has reported multiple vulnerabilities in the TikTok app that could allow hackers to gain control of a user account and manipulate its content, erase videos, change the privacy status, and do a lot more damage. Thankfully, the vulnerability in TikTok has now been fixed.
Check Point Research mentions in its blog post that it was possible to send an SMS message to a mobile number on behalf of TikTok. This functionality is available on the official TikTok website to let users download the app. However, hackers can capture HTTP request using a proxy tool and spoof a message that can contain any harmful link the malicious party intends to send. The link in question can then redirect users to a malicious website, and this was made possible because the redirection process was found to be vulnerable.
Once this happens, the attacker can take advantage of multiple intermediary techniques to become a follower of the victim and wreak havoc. The possible damage scenarios include deleting someone’s TikTok videos, upload unauthorised clips, make ‘private’ videos public, and even expose sensitive personal information associated with a TikTok account such as the linked email address. It is essentially equivalent to having a complete account takeover. Thankfully, the Check Point research notified TikTok about the vulnerability and the flaw was fixed before the findings were made public.