Sunday, November 24, 2024
Homecyber securityCritical TikTok Flaws Let Hackers Hack Any TikTok Account With an SMS...

Critical TikTok Flaws Let Hackers Hack Any TikTok Account With an SMS message – Demo Video of Attack

Published on

TikTok is the most popular video-sharing app, it has more than 1.3 billion users worldwide. TikTok in news for the last few months, because of the potential risks embedded within the app.

Last December a lawsuit filed stating that “TikTok shared the created videos that include close-ups of faces and private acts with the TikTok app before the videos are saved.”

Recently U.S. Army announced bans for soldiers from using the TikTok app in government phones. The ban comes as the app may be used for surveillance purposes.

- Advertisement - SIEM as a Service

Dozens of TikTok Vulnerabilities

Security researchers from Check Point discovered multiple vulnerabilities with the application, allows attackers to perform the following on any TikTok account:

  • Manipulating the user content
  • Delete videos
  • Upload videos
  • Can Change video from private to public
  • Retrieve personal information

A chain of vulnerabilities discovered includes SMS Link Spoofing, Open redirection, Cross-Site Scripting (XSS), Cross-Site Request Forgery (CSRF) and Sensitive Data Exposure.

Combining the vulnerabilities an attacker can take complete control of any TikTok user accounts.

TikTok
Phone Number to send SMS Link

The official website of the TikTok has an option to send an SMS message to any provide number, an attacker can capture the HTTP request by using a proxy tool like Burp Suite and they can change the download URL to a different link.

Attacker Can Change URL
TikTok Download SMS with Fake URL

So that the recipient will get a spoofed link instead of the original link that used to download the TikTok application.

Researchers found that the app has deep links functionality, which lets users directly reach a specific destination within the app.

The TikTok login redirection process also found to be vulnerable, it allows attackers to perform a redirection to anything with tiktok.com. Following that, an XSS vulnerability was found in the ads.tiktok.com website.

TikTok
Redirection URL

“With the lack of anti-Cross-Site request forgery mechanism, we realized that we could execute JavaScript code and perform actions on behalf of the victim, without his/her consent.”

All the vulnerabilities have been reported to TikTok developers and the vulnerabilities have been fixed now. Android and iOS users are recommended to update with the latest version of TikTok.

Gurubaran
Gurubaran
Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Latest articles

Nearest Neighbor Attacks: Russian APT Hack The Target By Exploiting Nearby Wi-Fi Networks

Recent research has revealed that a Russian advanced persistent threat (APT) group, tracked as...

240+ Domains Used By PhaaS Platform ONNX Seized by Microsoft

Microsoft's Digital Crimes Unit (DCU) has disrupted a significant phishing-as-a-service (PhaaS) operation run by...

Russian TAG-110 Hacked 60+ Users With HTML Loaded & Python Backdoor

The Russian threat group TAG-110, linked to BlueDelta (APT28), is actively targeting organizations in...

Earth Kasha Upgraded Their Arsenal With New Tactics To Attack Organizations

Earth Kasha, a threat actor linked to APT10, has expanded its targeting scope to...

Free Webinar

Protect Websites & APIs from Malware Attack

Malware targeting customer-facing websites and API applications poses significant risks, including compliance violations, defacements, and even blacklisting.

Join us for an insightful webinar featuring Vivek Gopalan, VP of Products at Indusface, as he shares effective strategies for safeguarding websites and APIs against malware.

Discussion points

Scan DOM, internal links, and JavaScript libraries for hidden malware.
Detect website defacements in real time.
Protect your brand by monitoring for potential blacklisting.
Prevent malware from infiltrating your server and cloud infrastructure.

More like this

FortiClient VPN Flaw Enables Undetected Brute-Force Attacks

A design flaw in the logging mechanism of Fortinet's VPN servers has been uncovered,...

macOS WorkflowKit Race Vulnerability Allows Malicious Apps to Intercept Shortcuts

A race condition vulnerability in Apple's WorkflowKit has been identified, allowing malicious applications to...

Wireshark 4.4.2 Released: What’s New!

The Wireshark Foundation has officially announced the release of Wireshark 4.4.2, the latest version...