Hackers Could Send Malware to TikTok Users via SMS

  • Researchers discovered a nasty flaw in TikTok’s platform, which has multiple repercussions for the users.
  • Attackers could exploit it to delete or unhide private videos, or even for TikTok account takeover.
  • The vulnerability has been fixed since December, but whether it was under active exploitation remains unknown.

Researchers from Check Point have discovered that TikTok was carrying a vulnerability that enabled malicious actors to send malware to the users of the app. Called “SMS Link Spoofing”, this attack is based on the platform’s capability to send an SMS to someone for the purpose of downloading the app. An attacker would capture the HTTP request using a proxy tool, change the “download_url” parameter in the SMS message, and send a malware payload to the victim’s device instead of the TikTok app. The researchers have demonstrated various ways to exploit this attack method and spoof the request with the users’ cookies when the browser was opened.

tikt-image-2
Source: Check Point Research

When the victim is redirected to the malicious website, the actors could decide among cross-site scripting (XSS), Cross-Site Request Forgery (CSRF), or Sensitive Data Exposure (email addresses and birth dates) attacks without the victim having to take any additional action. Other exploits include the changing of videos from being private to being public, or the deletion of user videos. Since there’s no validation of the redirection URL taking place in the app, the trick will work as long as the hacker uses a domain that ends with “tiktok.com”. Not all of the exploit methods from then on are of the same complexity, or of equal criticality, but the step to initiate them is fairly simple.

TikTok is a very popular video snippet creation and sharing platform, counting over 1 billion users from 150 countries, so any security issue in it has the potential to affect a large number of people. TikTok is created by a Chinese company named “Byte Dance”, and which has raised worries about what it does with the user data it collects. Some have called TikTok a national security risk, and the US army has banned its use from its personnel.

Although the flaw described above could wreak havoc in the humongous community, the researchers and Byte Dance both confirm that it has already been fixed. Check Point alerted TikTok’s engineers back in December, and they patched the vulnerability almost immediately. Whether or not this flaw was discovered by spy agencies or other hackers remains unknown and there’s no way to determine this. As researcher Oded Vanunu points out, some organizations pay more than $1 million for this type of attacks against such widely used tools, so chances are that someone was already exploiting the flaw.

Are you part of TikTok’s community, or do you prefer that your data aren’t stored in Chinese servers? Let us know where you stand in the comments down below, or on our socials, on Facebook and Twitter.

REVIEW OVERVIEW

Recent Articles

How to Watch ‘Flipping Across America’ Online – Live Stream Season 1

HGTV is making sure that our summers are full of excitement and new shows, and we are certain that Flipping Across America will take...

Qualcomm Snapdragon 865 Plus Is a 3GHz+ Gaming Beast

Qualcomm has boosted the Snapdragon 865 by 10%, delivering a powerful 5G flagship chip. The “Plus” version comes with all the goodies...

“Religare” and “Impact Guru” Leaked the Data of 5.5 Million Indians

Two catastrophic data breaches hit Indian companies dealing with health insurance and crowdfunding. The data that has been stolen is extremely sensitive,...

Intel Presented the Technical Specifications of the Thunderbolt 4 Interface

The Thunderbolt 4 controllers will soon be made available to hardware vendors. The new protocol is unquestionably an improvement over the previous...

How to Watch ‘Cannonball’ Online – Live Stream Season 1

Summertime is all about the light content, and the contests that keep it fun, and that's exactly what Cannonball is all about. Scheduled to...

Technology

How to Watch ‘Flipping Across America’ Online – Live Stream Season 1

HGTV is making sure that our summers are full of excitement and new shows, and we are certain that...
- Advertisement -

Qualcomm Snapdragon 865 Plus Is a 3GHz+ Gaming Beast

Qualcomm has boosted the Snapdragon 865 by 10%, delivering a powerful 5G flagship chip. The “Plus” version comes with all the goodies...

“Religare” and “Impact Guru” Leaked the Data of 5.5 Million Indians

Two catastrophic data breaches hit Indian companies dealing with health insurance and crowdfunding. The data that has been stolen is extremely sensitive,...

Intel Presented the Technical Specifications of the Thunderbolt 4 Interface

The Thunderbolt 4 controllers will soon be made available to hardware vendors. The new protocol is unquestionably an improvement over the previous...

How to Watch ‘Cannonball’ Online – Live Stream Season 1

Summertime is all about the light content, and the contests that keep it fun, and that's exactly what Cannonball is all about. Scheduled to...