TikTok vulnerabilities could allow hackers to get access to your personal data through...

nanoguy

Posts: 1,355   +27
Staff member
Why it matters: If you're one of the over 1.5 billion users of TikTok, you may want to update your app as soon as possible. According to Check Point security researchers, some versions of the app are vulnerable to several kinds of attacks that could compromise personal information stored on your phone.

Tiktok is currently used by more than 700 million users every month, which makes it an attractive target for hackers fishing for your personal data. And since a big chunk of its audience is comprised of teenagers, they run an even higher risk of this turning into a privacy nightmare.

According to Check Point Research, the popular lip-syncing video sharing app has multiple vulnerabilities that make it relatively easy for attackers to take complete control of your account, upload or remove videos, and expose private information or videos that you may have set to "hidden."

The vulnerabilities were discovered in November, and affect both Android and iOS versions of TikTok except for the latest version of the app that has been patched.

For example, the researchers noticed the platform allows users to receive a link to download the app via an SMS message which can be requested through the official website. But this mechanism is far from perfect, as researchers quickly found a way to manipulate the text and download link in the messages to send special commands to the app if it's already installed on your phone. Furthermore, they could use this hole to send a message to any phone number, not just those that were used to register TikTok accounts.

From there, an attacker can exploit bugs in the browser redirect setup to control your account and do things like following other accounts, getting personal information like email, and making private videos public. Through some more elaborate JavaScript code wizardry, the attacker can even create videos and post them from the third party's account.

TikTok isn't the only social platform where SMS has been found to be a security culprit. Last year, Twitter had to disable its tweet-via-SMS feature after CEO Jack Dorsey's account was hijacked through a vulnerability in that cloud-based mechanism.

TikTok owner ByteDance remains under regulatory scrutiny over its alleged ties with China. The app has been banned by the US military and is currently subject of a national security review, which is why ByteDance is scrambling to move its operations outside of China while keeping silent on everything related to what happens in that region.

Still, Check Point says TikTok was quick to respond when they were notified about the findings, and managed to fix the newly-discovered vulnerabilities by the end of December.

Permalink to story.

 
Back