Multiple vulnerabilities in one of the world's most popular mobile applications could have allowed attackers to manipulate user accounts and expose personal data including names, email addresses and dates of birth.
Uncovered by researchers at CheckPoint, the security vulnerabilities in video-sharing and social networking app TikTok – which has been downloaded by over a billion Android and iPhone users around the world – could have put the privacy of its users at risk.
While researchers can't be sure if the security loopholes have been exploited, Check Point has collaborated with TikTok to fix the vulnerabilities and ensure that they can't be used now be used by hackers.
SEE: IT pro's guide to the evolution and impact of 5G technology (free PDF)
The first vulnerability researchers uncovered was in the SMS functionality of the TikTok app. To help users install the application, the website allows them to send a text message to themselves with a link to download it. However, it was found that attackers could exploit this for malicious purposes.
This attack requires the attacker to know the phone number of the intended victim; this could be via already being connected to them in some way, obtaining it through social engineering or phishing, or from a stolen or public list of numbers. The attack is anonymous and doesn't reveal the attacker's identity.
By editing the download url parameter, the attacker can send a spoofed SMS message containing a malicious link owned by the attacker.
However, that isn't the only vulnerability researchers uncovered as they found that the TikTok Ads subdomain of the official TikTok website was vulnerable to Cross-Site Scripting (XSS) attacks, allowing attackers to inject malicious scripts that could target users via a trusted domain.
Researchers discovered it was possible to manipulate this domain when using the search functionality of the TikTok Ads help centre by entering code into the address of the search results.
By combining these, it's possible for the attacker to manipulate the victim's TikTok account. They could delete videos, they could make private videos public or post their own videos.
However, account manipulation isn't the only potential risk of the vulnerabilities as researchers found it to be possible to combine the SMS and XSS vulnerabilities to retrieve sensitive information not meant for public consumption, including their name, email address and date of birth.
"Social media applications are highly targeted for vulnerabilities as they provide a good source of personal, private data and offer a large attack surface. Malicious actors are spending large amounts of money and time to try and penetrate these hugely popular applications – yet most users are under the assumption that they are protected by the app they are using," said Oded Vanunu, head of product vulnerability research at Check Point.
However, after uncovering the vulnerabilities late last year, Check Point disclosed them to TikTok's Chinese parent company ByteDance, who worked quickly and deployed an update to fix the security loopholes.
SEE: A winning strategy for cybersecurity (ZDNet special report) | Download the report as a PDF (TechRepublic)
TikTok confirmed to ZDNet that they'd worked with Check Point to fix the issue.
"TikTok is committed to protecting user data. Like many organizations, we encourage responsible security researchers to privately disclose zero-day vulnerabilities to us," said Luke Deshotels, security engineer for TikTok.
"Before public disclosure, CheckPoint agreed that all reported issues were patched in the latest version of our app. We hope that this successful resolution will encourage future collaboration with security researchers," he added.
To protect against falling victim to attacks that exploit the vulnerabilities uncovered by researchers, users should update their TikTok application to the latest version if they've not already done so.
READ MORE ON CYBER CRIME