Last Updated on , By
 In AppSealing Blog, AppSealing News

TikTok is one of the most widely used social media platforms in the world, which has more than a billion registered users and an estimated 800 million MAUs(link). The video application, launched in September 2016 in China, has spread like wildfire across the globe and has surpassed the likes of Twitter and Snapchat and is second only to Facebook in terms of popularity.

The application, primarily used by teenagers, lets users create short music clips and lip-sync videos and allows them to share and save private videos. But, last year, experts from the Israel-based Check Point Research Publications exposed vulnerabilities in the Chinese app that could be exploited by hackers and put users’ private data under threat. Several leading news publications have already reported on the security threat that the application poses. CNet.com recently reported that the US Army banned TikTok, which was earlier used as a recruitment tool by them, from government phones.

Researchers at Check Point Research listed the following activities that hackers could carry out due to the vulnerability in the application: Get hold of accounts and manipulate their content; delete videos; upload unauthorized videos; make private videos public; and, reveal personal information linked to the account, such as email addresses. 

The researchers found that loopholes in TikTok’s download request option on their website could be easily overridden to send malicious links through the company’s official SMS platform. This process is called SMS link spoofing. Once the user follows the link, they expose themselves to serious threats by unknowingly granting hackers access to their accounts. Once the wall is breached, hackers can easily upload videos, make private clips public, and even access all sensitive information linked to the account.

Check Point Research also found out that the Android version of the application had a “deep links” option through which hackers could use and exploit the SMS spoofing vulnerability. It gives hackers the liberty to send requests on behalf of unsuspecting users.

The redirecting option can be used by hackers to carry out malicious activities, like cross-site scripting, cross-site request forgery, and sensitive data exposure attacks. It is just one of the many loopholes that researchers at Check Point Research discovered and brought to the notice of the Beijing-based company. Also, it is not the first time that TikTok has been called out for its vulnerabilities. In November last year, the US government initiated a security review over the application’s mother company ByteDance over its $1 billion acquisition of video app Musical.ly.

TikTok has accepted the app’s vulnerabilities and serious SMS security threats. “TikTok is committed to protecting user data. Like many organizations, we encourage responsible security researchers to privately disclose zero-day vulnerabilities to us. Before public disclosure, Check Point agreed that all reported issues were patched in the latest version of our app. We hope that this successful resolution will encourage future collaboration with security researchers,” a spokesperson told Forbes.com in January this year.

The data breach is becoming a trend nowadays, and it is really important that users become aware of the threats they could possibly face. Users’ private information can be easily accessed and misused by hackers when users blink for a second. Therefore, being informed and vigilant is vital. While users have little to do with this SMS-centric vulnerability, they should make sure that they update to the latest version of the app to minimize the risk.

Govindraj Basatwar
Govindraj Basatwar
Govindraj is a Global Sales Head for AppSealing at INKA Entworks. He keenly follows the innovation and development in cybersecurity, IT, content and application security, and software development, and loves to educate everyone about the what, why, and how of major incidents in the cybersecurity world. His views on industry trends and best practices have been featured in articles, white papers, and had been a keynote guest at multiple security events.

Leave a Comment