Security experts from CheckPoint discovered multiple vulnerabilities in the popular TikTok app that could be chained by remote attackers to hijack any user accounts, execute malicious code on the target system and perform unwanted actions.



Those vulnerabilities (that includes SMS link spoofing, open redirection, and cross-site scripting) affects the app backend and could be exploited just by knowing the mobile number of the victim.


The App

Available in over 150 markets, used in 75 languages globally, and with over 1 billion users, TikTok has definitely cracked the code to the term “popularity” across the globe. As of October 2019, TikTok is one of the world’s most downloaded apps.

The application is mainly used by teenagers and kids that are using this app to create short music clips, mostly lip-sync clips of 3 to 15 seconds, and short looping videos of 3 to 60 seconds. The application allows the youth to share, save and keep private (and sometimes very sensitive) videos of themselves and their loved ones.

Recently, the app has come under close scrutiny in the US and other countries for its alleged link with the Government of Beijing [2] and, in the last days, the US Army banned TikTok from use on government phones [3].


The Vulnerabilities

In the recent months, Check Point Research teams discovered multiple vulnerabilities within the TikTok application. The vulnerabilities described in this research allow attackers to do the following:

Get a hold of TikTok accounts and manipulate their content

- Delete videos
- Upload unauthorized videos
- Make private “hidden” videos public
- Reveal personal information saved on the account such as private email addresses

Check Point Research informed TikTok developers about the vulnerabilities exposed in this research and a solution was responsibly deployed to ensure its users can safely continue using the TikTok app.

CheckPoint researchers also published a video PoC of the attack:

More technical information are available in the CheckPoint's Report [1]


Is there a fix?

Vulnerabilities affects the app backend (not the mobile client): Check Point informed TikTok developers about the vulnerabilities before publishing the report.
TikTok developers already deployed the fixes on the app backend, so currently the app is secure.

However, before the patching, a well skilled attacker may have had access to accounts contents, so i suggest to perform a review of your account contents , such as public/private video, account details and permissions.


References

  1. Tik or Tok? Is TikTok secure enough? - Check Point Research
  2. TikTok Said to Be Under National Security Review - The New York Times
  3. US Army bans TikTok app from government phones - CNET