- CheckPoint recently reported that TikTok short-form video platform that could have been exploited to take control of user details & more security flaws.
- TikTok- The short-form video platform that could have been exploited to take control of user accounts, delete videos, upload videos, make private or hidden videos public as reported by CheckPoint Research.
Researchers at CheckPoint Research, an Israeli cybersecurity firm, have identified multiple vulnerabilities in TikTok’s short-form video platform that could have been exploited to take control of user accounts, delete videos, upload videos, make private or hidden videos public, and reveal such email address personal information.
The vulnerabilities were brought to the attention of TikTok and were already patched by the cybersecurity team of the Chinese company. “We invite responsible security researchers, like many organizations, to secretly report zero-day vulnerabilities to us. Until public disclosure, CheckPoint confirmed that in the latest version of our software, all identified bugs were patched.
We hope this successful outcome will encourage future cooperation with security researchers, “said TikTok Security Team’s Luke Deshotels. CheckPoint found multiple vulnerabilities in TikTok during their testing. One such vulnerability called SMS Link Spoofing could have enabled an attacker to send a spoofed SMS message with a malicious link on TikTok’s behalf.
Another vulnerability called Open Redirection might have allowed the attacker to redirect the user to a malicious website that will execute JavaScript code and make requests with the victims ‘ cookies to Tiktok.
The flaw in the redirection method was found in RegEx (regular expression) validation, which failed to properly validate the parameter redirect URL. Instead, the parameter value ending with TikTok.com was validated, allowing anything to be redirected with tiktok.com.
CheckPoint also found that the subdomain of Tiktok was vulnerable to XSS attacks, a form of attack that injects malicious scripts into a trusted website. The attacker may send a JavaScript code and perform actions on behalf of the user without their consent in the absence of any anti-cross-site request forgery mechanism in place.
By exploiting these vulnerabilities, an attacker can send HTTP GET requests with the video id requesting TikTok to delete the videos. Similarly, they can upload a video on the user’s page by sending the HTTP POST request on behalf of the user. To make a private video public, an attacker will first require the video id of a private video, which is gettable if the attacker is a follower of the user. Using the ID, an attacker can change the video privacy settings by sending an HTTP GET request on behalf of the user.
Within TikTok subdomains, researchers also found some API calls. Through submitting requests to some of the APIs, confidential user information such as email address, payment information, and date of birth has been released.
Oded Vanunu, Head of Product Vulnerability Research at CheckPoint, warned in a press statement that social media applications are highly targeted at vulnerabilities as they provide a good source for private data and provide a good surface gate for the attack. Malicious actors spend large amounts of money and put such huge applications into the great effort. However, most users are assumed to be protected by the app they use.
In India alone, TikTok is highly popular among teenagers and boasts over 200 million users. The platform is being scrutinized in the U.S. and several agencies, including the U.S. Navy, have banned their staff from using the app, according to reports.
To check the latest news about TikTok, Click here.