Researchers at CheckPoint have discovered a flaw within TikTok which allows hackers to text users malicious links.
Over the past couple of months, CheckPoint researchers identified multiple vulnerabilities within the TikTok application leaving users vulnerable to hackers.
One vulnerability allows hackers to send SMS messages to any phone number on behalf of TikTok with a malicious link which redirects the victim to a malicious website.
“The redirection opens the possibility of accomplishing Cross-Site Scripting (XSS), Cross-Site Request Forgery (CSRF) and Sensitive Data Exposure attacks without user consent,” explained CheckPoint.
Attackers wishing to send an SMS message to a victim can capture the HTTP request through a proxy tool. The download_url parameter that appears in the SMS message can be changed to contain a link the attacker chooses to type.
Other vulnerabilities found within the TikTok application include, taking control of TikTok accounts and manipulating their content; deleting videos; uploading unauthorised videos; making private “hidden” videos public; and revealing personal information saved on the account such as email addresses.
A spokesperson for TikTok has confirmed that all vulnerabilities have been fixed, however the company has not indicated if hackers were able to exploit the vulnerabilities.
“TikTok is committed to protecting user data. Like many organisations, we encourage responsible security researchers to privately disclose zero day vulnerabilities to us,” said Luke Deshotels, head of TikTok’s security team.
“Before public disclosure, CheckPoint agreed that all reported issues were patched in the latest version of our app. We hope that this successful resolution will encourage future collaboration with security researchers.”
American lawmakers have expressed their concerns regarding TikTok and the security of user data. In December, a lawsuit was filed by a college student accusing TikTok of secretly harvesting large amounts of personally identifiable user data and sending it to China.
In addition, just recently the US Army banned service members from using the app on government phones following the Pentagon issuing guidelines.
The post #Privacy: Serious security flaws in TikTok identified appeared first on PrivSec Report.