TikTok’ vulnerabilities on its SMS system allows attackers to steal personal information
Security researchers found various vulnerabilities of the Beijing based ButeDance owned TikTok that allows potential hackers to hijack users’ accounts and manipulate the videos uploaded and personal information.
TikTok is a famous social media platform and a mass users’ involvement on this platform has now. During November statistics by Sensor Tower Store Intelligence estimates, it has over 500, 000, 000 installers on Google Play and over 1.5 billion on mobile platform. It is used to share short-form looping mobile videos of 3 to 60 seconds.
Check Point researchers state in a report that the Tittok applications and its backend were vulnerable to attacks. The ByteDance fixing the vulnerability within one month after the security issues were disclosed back in November.
“Data is pervasive but data breaches are becoming an epidemic, and our latest research shows that the most popular apps are still at risk,” Check Point’s Head of Product Vulnerability Research Oded Vanunu said.
“Social media applications are highly targeted for vulnerabilities as they provide a good source for private data and offer a good attack surface gate.”
Vulnerable SMS system on TikTok
CheckPoint stated, the SMS system of the TikTok allows attacks to manipulate account data by adding and deleting videos, to change video privacy settings and to ex-filtrate usernames, email address, birthday and other personal data related to the users. As the per the Check Point researchers, the attackers exploit the vulnerabilities on system to upload unauthorized videos and deleting the uploaded videos, move users’ videos from private to public and steal personal information.
To perform these malicious actions, the attackers could send the app download link to the users’ phone numbers via text messages giving an impression of coming from TikTok. Additionally, the users could be redirected to onto a web server controlled by the attackers.
“The redirection opens the possibility of accomplishing Cross-Site Request Forgery (CSRF), Cross-Site Scripting (XSS), and Sensitive Data Exposure attacks without user consent.”
“TikTok is committed to protecting user data. Like many organizations, we encourage responsible security researchers to privately disclose zero day vulnerabilities to us”, said Luke Deshotels, the TikTok security Team.
Before the public disclosure, CheckPoint agreed that these vulnerabilities were patched on the latest version of the app.
TikTok banned on Soldiers’ government-issues Smartphones
Check Point research’s disclosures come after the banned of the TikTok from Us military branches including the Army, Navy, Marine Corps and Air Force.
“It is considered a cyber threat,” Army spokeswoman Lt. Col. Robin Ochoa said “We do not allow it on government phones.”
“be wary of applications you download, monitor your phones for unusual and unsolicited texts etc., and delete them immediately and uninstall TikTok to circumvent any exposure of personal information.”, new guidelines also for all defense department employees.
This followed by a later sent by U.S senators Chuck Schumer and Tom Cotton in October “to the Acting Director of National Intelligence requesting an assessment of the national security risks posed by TikTok and other China-based content platforms operating in the U.S.”
Schumer also published a statement, said that the national security probe into TikTok validates the senators’ concern that the apps like TikTok may pose serious risks to millions of Americans and deserve greater scrutiny as a reply when Reuters reported that the US government started an investigation on TikTok owner ByteDance’ acquisition of the US social app musical.ly from Nov 2017 for potential national security risks.
Vanessa pappas, the tiktok US’ general manager responded that all tiktok stores users’ data in the US with backup redundancy in Singapore. “Our data centers are located entirely outside of China, and none of our data is subject to Chinese law,” she said in late October.
“TikTok’s data centers are located entirely outside of China.” She also stated that the company has “a dedicated technical team focused on adhering to robust cybersecurity policies, and data privacy and security practices.”, this is what the pappas reiterated one month later.