Critical TikTok Flaw — Let Hackers Hack Any TikTok Account by Sending SMS

Critical TikTok Flaw — Let Hackers Hack Any TikTok Account by Sending SMS

TikTok is a very popular 15-second video-making app. TikTok has 1.3 billion+ users worldwide. In the last few months, TikTok is in news because of security risk.

In December 2019, a lawsuit has been filed against TikTok because TikTok secretly sent users sensitive private data & PII number to Chinese servers including draft videos.

Recently, the U.S Army also announced bans from using the TikTok app for soldiers in government phones. The ban on using the TikTok app comes as the TikTok app may be used for surveillance.

Flaws Found in TikTok App

Security researchers from Check Point firm found multiple flaws with the TikTok app that allows hackers to perform the following thing on any TikTok account :

  • Modifying the user content
  • Upload videos
  • Delete videos
  • Change video from private to public
  • Fetch sensitive personal information


Multiple vulnerabilities found that include :

  • SMS Link Spoofing
  • Cross-Site Scripting (XSS)
  • Cross-Site Request Forgery (CSRF)
  • Open Redirection
  • Sensitive Data Exposure

So, by combining all the above flaws a hacker can take full control of any TikTok accounts.

Critical TikTok Flaw — Let Hackers Hack Any TikTok Account by Sending SMS

Someone can also download the TikTok app from the SMS link because the official website of the TikTok has an option to send an SMS to any number. So, a hacker can change the download link to a different link and they can capture the HTTP request by using a proxy tool.

Critical TikTok Flaw — Let Hackers Hack Any TikTok Account by Sending SMS

So, instead of the original download link user will get a spoofed download link in SMS.

Critical TikTok Flaw — Let Hackers Hack Any TikTok Account by Sending SMS

Due to deep links functionality of the TikTok app, users can directly reach to a specific destination within the TikTok app.

The Login Redirection process of TikTok also found to be vulnerable because it allows hackers to do a redirection to anything with tiktok.com. A cross-site scripting flaw was discovered in the ads.tiktok.com site.

Hackers can also execute JavaScript code and perform an action on behalf of the user without his/her knowledge due to a lack of anti-Cross-Site request forgery mechanism.

Above all flaws have been reported to TikTok by Security researcher of Checkpoint firm and all flaws have been fixed immediately. Android and iOS users of the TikTok app are advised to update the app to the latest version.

If you have any questions related to the critical TikTok flaw and also want to share your views on this flaw then please mention in the comments box and I will get back to you.

No comments:

Powered by Blogger.