Photo: Reuters
Photo: Reuters

Multiple vulnerabilities detected in TikTok fixed

  • During a research, CheckPoint had found multiple vulnerabilities in TikTok
  • Researchers had also found several API calls in TikTok subdomains

Researchers at Israeli cybersecurity firm, CheckPoint Research, have found multiple vulnerabilities in short form video platform TikTok which could have been exploited to take control over user accounts, delete videos, upload videos, make private or hidden videos public and reveal personal information such email address.

The vulnerabilities were brought to TikTok’s attention and have already been fixed by Chinese company’s cybersecurity team. “Like many organizations, we encourage responsible security researchers to privately disclose zero day vulnerabilities to us. Before public disclosure, CheckPoint agreed that all reported issues were patched in the latest version of our app. We hope that this successful resolution will encourage future collaboration with security researchers," said Luke Deshotels, from TikTok Security Team.

During their research, CheckPoint found multiple vulnerabilities in TikTok. One such vulnerability called SMS Link Spoofing could have allowed attacker to send a spoofed SMS message with a malicious link on behalf of TikTok. Another vulnerability called Open Redirection could have allowed attacker to redirect the user to a malicious website that will execute JavaScript code and make requests to Tiktok with the victims’ cookies. The vulnerability in redirection process was found in validation RegEx (regular expression), which was not validating the redirect_url parameter properly. Instead it was validating the parameter value ending with TikTok.com, allowing redirection of anything with tiktok.com.

CheckPoint further found that Tiktok’s subdomain was vulnerable to XSS attacks, a type of attack in which malicious scripts are injected into a trusted website. In the absence of any anti cross site request forgery mechanism in place, attacker can send a JavaScript code and perform actions on behalf of the user without their consent.

By exploiting these vulnerabilities, attacker can send HTTP GET request with the video id requesting TikTok to delete the videos. Similarly, they can upload a video on user’s page by sending the HTTP POST request on behalf of the user. To make a private video public, attacker will first require the video id of a private video, which is gettable if the attacker is a follower of the user. Using the ID, attacker can change the video privacy settings by sending a HTTP GET request on behalf of the user.

Researchers also found several API calls in TikTok subdomains. By sending requests to some of the APIs revealed sensitive information about the user such as email address, payment information and birth dates.

In a press statement, Oded Vanunu, CheckPoint’s Head of Product Vulnerability Research, warned, social media applications are highly targeted for vulnerabilities as they provide a good source for private data and offer a good attack surface gate. Malicious actors are spending large amounts of money and putting in great effort to penetrate into such huge applications. Yet most users are under the assumption that they are protected by the app they are using.

Hugely popular among teenagers, TikTok boasts over 200 million users in India alone. According to reports, the platform is under scrutiny in US and several agencies including US Navy have prohibited their personnel from using the app.

Close
×
My Reads Logout