Hack Any TikTok Account Demonstration: Proof of Concept

hacking titktok accounts

TikTok is the 3rd most downloaded app in 2019, is under intense scrutiny over users’ privacy, censoring politically debatable content and on national security grounds but it’s not over but, as the protection of huge amounts of TikTok users will be now under question.

The well-known Chinese viral video-sharing app contained potentially dangerous vulnerabilities that could have permitted remote assailants to hijack any end user account simply by finding out the mobile number of specific victims.

In a report privately provided with the Hacker News, cybersecurity scientists at Check Point revealed that chaining many vulnerabilities enabled them to remotely execute malicious code and do unwelcome activities on behalf of the victims without having their consent.

The listed vulnerabilities normally include low seriousness challenges like SMS cross-site scripting, open redirection, and link spoofing (XSS) that when coupled could permit a remote attacker to do high impact attacks, including:

delete some videos from victims’ TikTok account,
upload unauthorized videos to victims’ TikTok profile,
make private “hidden” video clips public,
disclose individual info kept on the bank account, like private addresses as well as emails.
The encounter leverages an insecure SMS system which TikTok provides on its website to allow drivers send out a message to their phone number with a hyperlink to obtain the video sharing application.

According to the scientists, an assailant is able to send an SMS information to any telephone number on behalf of TikTok with a modified download URL to a malicious webpage designed to carry out code on a precise device with already fitted TikTok app.

tiktok bank account hacking techniques
tiktok account hack

When coupled with open redirection as well as cross site scripting problems, the strike could permit online hackers to carry out JavaScript code on behalf of victims the minute they push the hyper link delivered by TikTok server over SMS, as shown in the video demonstration Check Point shared with the Hacker News.

The method is often known as cross site inquire forgery attack, wherein opponents trick authenticated users to executing an unhealthy action.

“With the absence of anti-Cross-Site inquire forgery mechanism, we recognized that we could perform JavaScript code and perform measures on behalf of the target, without his/her consent,” the scientists said in blog post published today. “Redirecting the end user to a malicious site will execute JavaScript code and make requests to Tiktok with the victims’ cookies.” Check Point sensibly noted these vulnerabilities to ByteDance, the developer of TikTok, in late November 2019, that after that published a patched version of the mobile app of its inside a month to protect its users at hackers. If you’re not running the latest variant of TikTok available on official app stores for Android and Ios, you’re advised to update it the minute possible.