Launched initially in 2017, TikTok quickly cemented its place among hugely popular social media applications, reaching a 1.5 billion downloads figure last year. Owned by Beijing-based ByteDance, the app has been in hot waters lately in regards to political issues. In November, the firm apologized for removing a viral video regarding the persecution of Uighur Muslims in China. Moreover, as per the New York Times, the app is also under national security review in the United States.
Now, security firm Check Point Research has published a report regarding major security vulnerabilities in TikTok that have now been patched by ByteDance. These flaws could have enabled hackers to not only access personal user data but also manipulate their profile status and videos.
The following video showcases these vulnerabilities in action from both the hackers' and their victims' perspective:
In concise form, these are the actions that an attacker may have performed before the flaws were fixed:
- Get a hold of TikTok accounts and manipulate their content
- Delete videos
- Upload unauthorized videos
- Make private “hidden” videos public
- Reveal personal information saved on the account such as private email addresses
In a statement to ZDNet, Luke Deshotels, security engineer for TikTok, commented on the matter in the following way:
"TikTok is committed to protecting user data. Like many organizations, we encourage responsible security researchers to privately disclose zero-day vulnerabilities to us. Before public disclosure, CheckPoint agreed that all reported issues were patched in the latest version of our app. We hope that this successful resolution will encourage future collaboration with security researchers."
In regards to further details on the aforementioned issues, for starters, a spoofed SMS message could be created, simply by changing the download_url parameter in a captured HTTP request. Any link inserted in its place could then be sent to the user as though sent by the TikTok team. As such, it was possible to send malicious links that redirected users to malicious websites.
Further delving into the execution of JS code enabled testers to discover that retrieval of personal information through already-present API calls was also possible. However, Cross Origin Resource Sharing (CORS) and Same Origin Policy (SOP) security mechanisms had to be somehow bypassed first. This didn't prove to be too difficult as an "unconventional" JSONP callback method that allows the requesting of data without CORS and SOP mechanisms was already in place in TikTok.
Although, as aforementioned, these vulnerabilities had already been fixed by TikTok before the Check Point Research report was published today, the fact that a data breach of this scale was possible in the first place potentially raises major questions in regards to how secure user data actually is when it comes to social media applications in general.
Source: Check Point Research