Multiple vulnerabilities were found in the TikTok application, which could enable hackers to take control of the victim’s account and manipulate the account in various ways, according to researchers at Check Point. The video-sharing platform has now patched the flaws.
The researchers found out that hackers can delete the videos, upload unauthorised contents on the victim’s TikTok account, make the hidden videos public and can reveal the inside details of the account.
Hackers use the technique known as SMS Spoofing, which is similar to email spoofing, where the hacker sends a malicious SMS to the victim’s TikTok account. Hackers can add the URL parameter in the link, and when the user clicks on it, a web browser will open that will take the user to the malicious website making it possible for the hacker to send the requests on behalf of the user.
Hackers can also send SMS of legitimate log in link, such as TikTok’s website and with Cross-Site Scripting, and can redirect the victim to other websites that can contain malicious codes.
Apart from the vulnerabilities mentioned above, hackers can also take over the victim’s accounts by Cross-Site Request Forgery. The attacker sends the HTTP GET request to the victim’s user id and can delete the video.
Furthermore, exploiting the vulnerabilities, an attacker can expose the sensitive information of the user, can create the video using the user’s ID as well as and can change the private video to a public one.
TikTok has now fixed the vulnerabilities when notified by the researchers in November.
“The research presented here shows the risks associated with one of the most popular and widely used social apps in the world. Such risks enforce the essential need for privacy and data security in the cyber world we live in,” Checkpoint researchers concluded. “Data breaches are becoming an epidemic. Our data is stored across a number of networks and within it our most valuable, private information. It’s our joint responsibility to keep our data safe from compromise.”