TikTok on the clock, and the hacking won't stop: SMS spoofing vuln let baddies twiddle teens' social media videos
Uploads, deletions, private-to-public switcharoos, all bad stuff
TikTok, a mobile video app popular with teens, was vulnerable to SMS spoofing attacks that could have led to the extraction of private information, according to infosec researchers.
The app is used mainly by the youth of today to share and save short videos of themselves and friends, often set to a popular music track, with an optional array of visual and sound effects - a la Snapchat. Research from Israeli outfit Check Point found that an attacker could send a spoofed SMS message to a user containing a malicious link.
If the user clicked that malicious link, the attacker could access the user's TikTok account and, so Check Point said, manipulate its content by deleting videos, uploading new videos and making private or "hidden" videos public.
Check Point told ByteDance, TikTok's developer, of its findings in late November 2019. A patch was issued around a month later.
The vuln was in how TikTok validated newly signed-up mobile phone numbers. When a new user signs up for TikTok, the app sends them an SMS. Check Point found out that a hacker can manipulate and send text messages to any phone number, appearing to come from TikTok. Malicious links in those messages could then inject and trigger the execution of malicious code.
Oded Vanunu, Check Point's head vuln researcher, opined: “Malicious actors are spending large amounts of money and time to try and penetrate these hugely popular applications – yet most users are under the assumption that they are protected by the app they are using.”
Luke Deshotels, a TikTok security staffer, said in a canned statement: "TikTok is committed to protecting user data. Before public disclosure, CheckPoint agreed that all reported issues were patched in the latest version of our app. We hope that this successful resolution will encourage future collaboration with security researchers."
The research also found that Tiktok's subdomain (https://ads.tiktok.com) was vulnerable to XSS attacks, a type of attack in which malicious scripts are injected into otherwise benign and trusted websites. Check Point researchers leveraged this vulnerability to retrieve personal information saved on user accounts, including private email addresses and birthdates.
TikTok was banned by the US Army in late December over security fears, though those were publicly linked to its Chinese origins. ®