The Chinese video-sharing app TikTok is one of the very popular apps nowadays with over 1 billion users got some serious vulnerabilities that can hack anyone’s account with a single SMS. Hackers could easily fake their appearance to make victims believe that these SMS came from Tiktok. Last year, TikTok paid a fine of $5.7 million for sharing minors’ information. TikTok is in heat overall the year 2019 including ban by Indian Court.
Researchers at an Israel based firm Check Point combined several vulnerabilities to hack into a user account by knowing their mobile number only. Researchers run malicious codes to get access to the user without consent.
The group of vulnerabilities includes SMS spoofing, redirection, and Cross-site scripting (XSS) on one of the Tiktok’s subdomain https://ads.tiktok.com that could allow attackers to inject malicious scripts to hijack cookies. Anyone can send messages to any mobile number with a link to download TikTok from TikTok official website. A potential attacker can modify this URL to a malicious URL to hack any account.
If the hacker combines redirection and XSS (known as cross-site request forgery attack) then as soon as the user clicks on the link, a javascript gets executed and the attacker can access the user account.
An attacker can do the following:
- Can upload videos
- Can delete videos
- Can make private videos public
- Can reveal information like E-mail addresses
With the lack of anti-Cross-Site request forgery mechanism, we realized that we could execute JavaScript code and perform actions on behalf of the victim, without his/her consent
Researchers
You can hack TikTok fans free with this technique, It is all possible due to the “deep links” functionality of the TikTok app that enables to invoke intents. The researchers have sent the report to TikTok back on 20th November and the vulnerability has been removed in the new patched version on 15th December.
