TikTok is the 3rd most downloaded app in 2019, is under intense scrutiny over users’ privacy, censoring politically debatable content and on national security grounds but it’s not over but, as the protection of huge amounts of TikTok users will be now under question.
The well-known Chinese viral video-sharing app contained potentially dangerous vulnerabilities that could have permitted remote assailants to hijack any end user account simply by finding out the mobile number of specific victims.
In a report privately provided with the Hacker News, cybersecurity scientists at Check Point revealed that chaining many vulnerabilities enabled them to remotely execute malicious code and do unwelcome activities on behalf of the victims without having their consent.
The listed vulnerabilities normally include low seriousness challenges like SMS cross-site scripting, open redirection, and link spoofing (XSS) that when coupled could permit a remote attacker to do high impact attacks, including:
delete some videos from victims’ TikTok account,
upload unauthorized videos to victims’ TikTok profile,
make private “hidden” video clips public,
disclose individual info kept on the bank account, like private addresses as well as emails.
The encounter leverages an insecure SMS system which TikTok provides on its website to allow drivers send out a message to their phone number with a hyperlink to obtain the video sharing application.
According to the scientists, an assailant is able to send an SMS information to any telephone number on behalf of TikTok with a modified download URL to a malicious webpage designed to carry out code on a precise device with already fitted TikTok app.
The method is often known as cross site inquire forgery attack, wherein opponents trick authenticated users to executing an unhealthy action.