TikTok flaw allowed hackers to read text messages and control accounts

TikTok's security vulnerabilities, misused in hijacking accounts and manipulating them, is finally patched

Flaw in China's TikTok was foundAttackers could have been controlling accounts and stealing data from users: multiple flaws got discovered. The social media platform, TikTok, is based on sharing short-form looping videos. However, it seems that anyone who has an account could have been vulnerable to the flaw, according to researchers from CheckPoint.[1] In the report posted on January 8th, the CheckPoint team discloses that platform with billion users potentially was open for any hackers who could access, manipulate accounts, and the content posted.[2]

While TikTok is as popular as Facebook or Instagram, with such media success comes the risks:

TikTok videos are entertaining. They’ve created a major trend, a style, even a musical genre. But as some have experienced, there is often a fine line between fun clips to private, even intimate assets being compromised while trusting to be under the protection from the apps we use.

After multiple flaws within the application got reported to the developers, they patched the application and it is safe to use right now. However, vulnerabilities in the application and the SMS system was accessible to anyone who was aiming to steal data or control targeted TikTok accounts. It hasn't been disclosed yet for how long the app was vulnerable to attacks. Even though the company says that they haven't found any indications that hackers abused the flaw.[3]

Vulnerability found in the SMS system

After accessing the system using the disclosed flaws, hackers needed to send application download links to users via phone numbers by impersonating the TikTok. This is the functionality that lets users send SMS messages to themselves to download the app.

After the malicious code is injected, eventually it could be executed on the device. Redirects to web servers controlled by hackers could allow sending additional requests to other people on behalf of the already hacked people. Such attacks can potentially result in sensitive data exposure and direct hackings.[4]

According to the research team, different attack techniques allowed the potential attacker to:

  • access the account;
  • manipulate the content posted on TikTok by uploading and deleting videos;
  • make changes to privacy settings of the content;
  • make personal data of the account public;
  • collect such details as email addresses, full name, birthday.

TikTok is already facing backlash and bans

The China-based platform was banned from soldiers' phones already.[5] The U.S military disclosed their concerns about the social media platform and advised all Defense Department employees to be aware of the questionable application that can pose a risk on sensitive information, private texts, and general security.

Many investigations were started on TikTok and other similar or even related applications. One of the biggest concerns regarding the security of the U.S involved the apps' relation to China and data tracking. Officials have responded to many accusations and stated that the TikTok application and its creators realize that security is a serious issue and want to be transparent as possible to keep users feeling secure and informed.

General Manager of TikTok US, Vanessa Pappas stated[6] back in November:

We store all US user data in the United States, with backup redundancy in Singapore. TikTok’s data centers are located entirely outside of China. Further, we have a dedicated technical team focused on adhering to robust cybersecurity policies, and data privacy and security practices.

About the author
Ugnius Kiguolis
Ugnius Kiguolis - The mastermind

Ugnius Kiguolis is a professional malware analyst who is also the founder and the owner of 2-Spyware. At the moment, he takes over as Editor-in-chief.

Contact Ugnius Kiguolis
About the company Esolutions