Cyber security researchers at Check Point have found multiple vulnerabilities within Chinese-owned app TikTok, which they say could potentially let hackers access other people’s accounts.
The team discovered that it was possible to send spoof text messages to users that appeared to come from the app. Fake links contained inside these authentic looking messages, when clicked, would grant the hacker access to the user’s account.
This access would enable them to upload and delete videos, and change settings on existing videos from public to private. This access could also allow a hacker to force a TikTok user on to a web server controlled by the malicious actor, making it possible for the attacker to send unwanted requests on behalf of the user.
Faults in the app’s infrastructure also meant the hacker could have redirected a compromised user to a malicious website masquerading as the TikTok site, according to Check Point.
The app, which launched outside of China two and half years ago, has close to 1.5 billion global users and can be used across multiple platforms, making it a prime target for hackers as it is easier for them to escalate their activity once an account has been compromised.
Check Point notified TikTok developer ByteDance of the issues in November 2019. In a statement, the developer said: “Like many organisations, we encourage responsible security researchers to privately disclose zero-day vulnerabilities to us.
“Before public disclosure, Check Point agreed that all reported issues were patched in the latest version of our app. We hope that this successful resolution will encourage further collaboration with security researchers.”
- Deliveroo to Launch New Edinburgh HQ in 2020
- Dundee’s Lemmings Video Game Celebrated in Royal Mail Stamp Set
- Glasgow Cloud Computing Firm Receives £2M Grant from Scottish Enterprise
According to Check Point, the vulnerability was in place for most of 2019, and the firm said this raised “serious questions” over whether or not it had been exploited by hackers.
The company said that ByteDance had “responsibly deployed” a remedy within a month of the issue being disclosed.
Oded Vanunu, the lead researcher on Check Point’s report, said: “There has been lots of speculation as to how safe or unsafe TikTok is. We proved that there were, indeed, serious security issues with TikTok.
“We don’t have visibility into TikTok’s platform, so we can’t tell if anything was actually exploited. But imagine how much power would have been in the hands of someone who wanted to distribute fake news on the platform.”