Check Point researchers have discovered many problems in one of the world’s most popular applications, TikTok. So, knowing the victim’s phone number, attackers could manipulate other people’s accounts and gain access to personal data. In fact, combining several vulnerabilities allowed remote execution of malicious code and undesirable actions on behalf of the victims and without their consent.

Individually, all detected vulnerabilities had a low level of danger and were associated with spoofing links in SMS messages, open redirects, and XSS. However, in combination, these bugs allowed the remote attacker to perform the following actions:

  • remove any videos from the victim’s profile;
  • Upload unauthorized videos to your victims profile
  • make private “hidden” videos public;
  • disclose personal information stored in the account, including addresses and emails.

To attack, experts used the unsafe SMS-sending system that TikTok offers on its website: users could send a message to their phone number and get a link to download the application.

As it turned out, the attacker could send an SMS message on behalf of TikTok to any number by placing in this message a special URL leading to a malicious page designed to execute code on a device with the TikTok application already installed.

In combination with problems of open redirects and cross-site scripting, the attack allowed executing JavaScript code on behalf of the victim, immediately after users clicked on the link received via SMS. A video demonstration of the attack can be seen below.

Check Point notified ByteDance, the developer of TikTok, about these vulnerabilities back in late November 2019, and a month later the developers released patches, fixing all the problems found.

Twitter:  Rapidsafeguard
Instagram: Rapidsafeguard
Facebook: Theeasyhack
YouTube: Rapidsafeguard
LinkedIn: Rapidsafeguard


Please enter your comment!
Please enter your name here