Check Point researchers have discovered many problems in one of the world’s most popular applications, TikTok. So, knowing the victim’s phone number, attackers could manipulate other people’s accounts and gain access to personal data. In fact, combining several vulnerabilities allowed remote execution of malicious code and undesirable actions on behalf of the victims and without their consent.
Individually, all detected vulnerabilities had a low level of danger and were associated with spoofing links in SMS messages, open redirects, and XSS. However, in combination, these bugs allowed the remote attacker to perform the following actions:
- remove any videos from the victim’s profile;
- Upload unauthorized videos to your victims profile
- make private “hidden” videos public;
- disclose personal information stored in the account, including addresses and emails.
To attack, experts used the unsafe SMS-sending system that TikTok offers on its website: users could send a message to their phone number and get a link to download the application.
As it turned out, the attacker could send an SMS message on behalf of TikTok to any number by placing in this message a special URL leading to a malicious page designed to execute code on a device with the TikTok application already installed.
Check Point notified ByteDance, the developer of TikTok, about these vulnerabilities back in late November 2019, and a month later the developers released patches, fixing all the problems found.