Security researchers found multiple security flaws in popular video-sharing app TikTok that made it technically possible to expose personal videos and data.
The vulnerabilities, which have now been patched by TikTok, could have also allowed attackers to manipulate content on user accounts, according to cybersecurity firm Check Point.
Researchers said attackers could have exploited TikTok’s SMS messaging system, which is used during the initial sign up process, to instead send a message containing a malicious link.
Once users clicked this link, an attacker could theoretically gain control of the account to upload and delete videos, move videos from ‘private’ to ‘public’ and extract personal data such as full names, email addresses and birthdays.
Separately, the Israeli cybersecurity firm found that TikTok’s subdomain was vulnerable to XSS attacks, in which malicious scripts are injected into a trusted website. The researchers exploited this vulnerability to demonstrate how it was possible retrieve users’ personal information.
“Data is pervasive, and our latest research shows that the most popular apps are still at risk,” said Oded Vanunu, Check Point’s head of product vulnerability research.
“Social media applications are highly targeted for vulnerabilities as they provide a good source of personal, private data and offer a large attack surface.
“Malicious actors are spending large amounts of money and time to try and penetrate these hugely popular applications – yet most users are under the assumption that they are protected by the app they are using.”
TikTok security flaw: Always auto-update
TikTok fixed the security flaws in December after being notified by Check Point in late November 2019.
Luke Deshotels, PhD, TikTok Security Team said: “TikTok is committed to protecting user data. Like many organisations, we encourage responsible security researchers to privately disclose zero-day vulnerabilities to us.
“Before public disclosure, CheckPoint agreed that all reported issues were patched in the latest version of our app. We hope that this successful resolution will encourage future collaboration with security researchers.”
More than 1.5 billion people have downloaded the TikTok app across 150 markets, which has grown in popularity for its unique format that allows users to create short, often well-made videos.
Jake Moore, cybersecurity specialist at ESET, said: “SMS messages should always be taken with precaution due to their inherent flaws with the minimal security around them. Clicking on a link in a message should always be dealt with caution but when the SMS looks legitimate, many people will still follow through with the request.”
Moore recommends users keep auto-updates switched on to ensure apps are equipped with the most recent security patches.
“Bad actors are always looking for vulnerabilities and companies like TikTok should not be shamed for being targeted,” he added. “To not be targeted nowadays would be quite a feat so at least they are taking ownership and offering quick support and offering updates to mitigate the risk to their users.”
Verdict deals analysis methodology
This analysis considers only announced and completed cloud-deals deals from the GlobalData financial deals database and excludes all terminated and rumoured deals. Country and industry are defined according to the headquarters and dominant industry of the target firm. The term ‘acquisition’ refers to both completed deals and those in the bidding stage.
GlobalData tracks real-time data concerning all merger and acquisition, private equity/venture capital and asset transaction activity around the world from thousands of company websites and other reliable sources.
More in-depth reports and analysis on all reported deals are available for subscribers to GlobalData’s deals database.