A new security research report this week suggests TikTok had a vulnerability that could have allowed hackers to access videos on any user’s account, and even send them links to fake websites.
TikTok has an option on its website that allows a user to download the app by sending themselves an SMS.
According to the report published by Check Point, its researchers also found that it is possible that through this vulnerability they were able to send an SMS to any phone number on behalf of TikTok.
That’s not all, this vulnerability could even allow a hacker access to the user’s TikTok account and write a code on the back end which allowed them to change the settings of videos on a user’s account from private to public, create new videos, and even delete them.
A user could have mistakenly clicked a website link sent by the hacker via SMS which was recoded to open fraudulent websites leaving them vulnerable to future attacks.
As you can see above, Pic 1 shows you the legitimate SMS message, while Pic 2 gives you the SMS which has been sent with the link changed by the attacker. And once the user clicks it, their account is exposed.
What Has TikTok Done to Fix This?
Check Point claims it had shared the vulnerability with TikTok back in November, after which the issue in the app was fixed.
“TikTok is committed to protecting user data. Like many organizations, we encourage responsible security researchers to privately disclose zero day vulnerabilities to us.”Luke Deshotels, Security Team Member, TikTok
Researchers at Check Point emphasised that TikTok’s popularity makes it a prime target for hackers, and its availability across multiple platforms gives them access to millions of users without making a lot of effort.
“We see huge amounts of malicious activity on IM and social networks. What we’re trying to make sure people understand is that the cyber space is something that doesn’t just start and end on a sophisticated platform, but that if you’re in cyber space, even for day to day activity, your data and privacy are at risk.”Oded Vanunu, Lead Researcher, Check Point
With TikTok becoming popular in India, it’s likely to have affected millions of users, and we’re hopeful those users would have updated their apps to fix the issue reported by Check Point.
It’s Not Just TikTok
While this vulnerability affects TikTok, Check Point’s Vanunu is adamant that attacks can happen on any platform, even the older ones and it’s up to the users to realise the value their data offers to third-party actors. And having billions of users on their platform makes them even more appealing for attackers.
“Even for veteran applications, they are not more or less vulnerable, but there’s potentially much more opportunity since they have so many users.”Oded Vanunu, Lead Researcher, Check Point
Vulnerabilities are nothing new, but in TikTok’s case, such findings can put them in a spot of bother, especially when the government in the US and India have raised security concerns with regards to its country of origin.
Check Point has been keeping a close eye on popular mobile platforms, most notably WhatsApp, which has been making the headlines for similar concerns. The app had a vulnerability that offered hackers the chance to install spyware in user’s devices and its impact raised eyebrows across the globe.
(At The Quint, we question everything. Play an active role in shaping our journalism by becoming a member today.)