TikTok is a very popular 15-second video-making app. TikTok has 1.3 billion+ users worldwide. In the last few months, TikTok is in news because of security risk.
In December 2019, a lawsuit has been filed against TikTok because TikTok secretly sent users sensitive private data & PII number to Chinese servers including draft videos.
Recently, the U.S Army also announced bans from using the TikTok app for soldiers in government phones. The ban on using the TikTok app comes as the TikTok app may be used for surveillance.
Flaws Found in TikTok App
Security researchers from Check Point firm found multiple flaws with the TikTok app that allows hackers to perform the following thing on any TikTok account :
- Modifying the user content
- Upload videos
- Delete videos
- Change video from private to public
- Fetch sensitive personal information
Multiple vulnerabilities found that include :
- SMS Link Spoofing
- Cross-Site Scripting (XSS)
- Cross-Site Request Forgery (CSRF)
- Open Redirection
- Sensitive Data Exposure
So, by combining all the above flaws a hacker can take full control of any TikTok accounts.
Someone can also download the TikTok app from the SMS link because the official website of the TikTok has an option to send an SMS to any number. So, a hacker can change the download link to a different link and they can capture the HTTP request by using a proxy tool.
So, instead of the original download link user will get a spoofed download link in SMS.
Due to deep links functionality of the TikTok app, users can directly reach to a specific destination within the TikTok app.
The Login Redirection process of TikTok also found to be vulnerable because it allows hackers to do a redirection to anything with tiktok.com. A cross-site scripting flaw was discovered in the ads.tiktok.com site.
Above all flaws have been reported to TikTok by Security researcher of Checkpoint firm and all flaws have been fixed immediately. Android and iOS users of the TikTok app are advised to update the app to the latest version.
If you have any questions related to the critical TikTok flaw and also want to share your views on this flaw then please mention in the comments box and I will get back to you.