CheckPoint experts have found not too dangerous vulnerabilities in the mobile application TikTok, which, however, can be combined so that there is a threat of seizing control over the victim’s account.
It is sufficient to know the number
Experts of the company CheckPoint found a number of vulnerabilities in the official mobile application of Chinese social network TikTok, which allow you to intercept control over your account. To do this, the attacker only needs to know the mobile phone number of the potential victim.
TikTok is a Chinese social network that allows you to create short music videos, live broadcasts and messaging. Launched in 2018, TikTok has now taken the lead in China and has achieved significant popularity in other countries, with more than 1.3 billion installations worldwide.
TikTok accounts are divided into free and paid accounts, and the content of free accounts is publicly available by default. Only paid users can restrict access to their content.
The vulnerabilities identified in the application itself are not critical or even dangerous. A combination of these vulnerabilities becomes critical: using SMS link spoofing, open redirection and cross-site scripting, attackers can perform a range of malicious actions.
In addition to taking control of the account directly, various manipulations of its content become possible – deleting videos uploaded by users, uploading videos without the user’s knowledge and consent, removing user restrictions on videos, publishing private information about the account, etc.
Send an SMS to the number…
Checkpoint experts have found that it is possible to use the function of sending SMS from the TikTok website on behalf of the social network to any number; such SMS usually contain a link to download the client program.
However, the link can be easily substituted and thus lure the user to a third party resource, through which it is possible to run any code on the target mobile device – provided that the TikTok application is already installed on it.
“In principle, the fact that the victim – a TikTok user – receives a message with an offer to download the client again should already cause suspicion,” said Anastasia Melnikova, an expert on information security company SEC Consult Services. – “But not always users wonder why they need to download something again: they say that the update is out. Such inattentive tricks of malefactors are often designed for this purpose”.
The main problem with the TikTok application itself, from an expert’s point of view, is the lack of protection against forged cross-site requests (XSS).
In late December 2019, the U.S. Army banned the use of TikTok for its employees: U.S. authorities suspect that the application may be used to steal user data. On December 16, 2019, the U.S. Department of Defense issued a warning about the danger of this social networking site.
Starting January 4, 2020, employees of the U.S. Department of State and the U.S. Department of Homeland Security are officially forbidden to use TikTok.