Launched initially in 2017, TikTok quickly cemented its place among hugely popular social media applications, reaching a 1.5 billion downloads figure last year. Owned by Beijing-based ByteDance, the app has been in hot waters lately in regards to political issues. In November, the firm apologized for removing a viral video regarding the persecution of Uighur Muslims in China. Moreover, as per the New York Times, the app is also under national security review in the United States.
Now, security firm Check Point Research has published a report regarding major security vulnerabilities in TikTok that have now been patched by ByteDance. These flaws could have enabled hackers to not only access personal user data but also manipulate their profile status and videos.
The following video showcases these vulnerabilities in action from both the hackers' and their victims' perspective:
In concise form, these are the actions that an attacker may have performed before the flaws were fixed:
- Get a hold of TikTok accounts and manipulate their content
- Delete videos
- Upload unauthorized videos
- Make private “hidden” videos public
- Reveal personal information saved on the account such as private email addresses
In a statement to ZDNet, Luke Deshotels, security engineer for TikTok, commented on the matter in the following way:
"TikTok is committed to protecting user data. Like many organizations, we encourage responsible security researchers to privately disclose zero-day vulnerabilities to us. Before public disclosure, CheckPoint agreed that all reported issues were patched in the latest version of our app. We hope that this successful resolution will encourage future collaboration with security researchers."
In regards to further details on the aforementioned issues, for starters, a spoofed SMS message could be created, simply by changing the download_url parameter in a captured HTTP request. Any link inserted in its place could then be sent to the user as though sent by the TikTok team. As such, it was possible to send malicious links that redirected users to malicious websites.
Without going into too much technical details, essentially, opening the spoofed link could be re-engineered to make requests to TikTok along with the victims' cookies. This is the point where the other major vulnerabilities could be exploited; without any anti-Cross-Site request forgery mechanism present, JavaScript code could be executed to perform actions on behalf of users. Using a combination of HTTP POST and GET requests, it became possible to obtain videos and change their statuses from private to public, automatically become followers of the targeted user, or even create new videos and publish it from their accounts.
Further delving into the execution of JS code enabled testers to discover that retrieval of personal information through already-present API calls was also possible. However, Cross Origin Resource Sharing (CORS) and Same Origin Policy (SOP) security mechanisms had to be somehow bypassed first. This didn't prove to be too difficult as an "unconventional" JSONP callback method that allows the requesting of data without CORS and SOP mechanisms was already in place in TikTok.
Although, as aforementioned, these vulnerabilities had already been fixed by TikTok before the Check Point Research report was published today, the fact that a data breach of this scale was possible in the first place potentially raises major questions in regards to how secure user data actually is when it comes to social media applications in general.
Source: Check Point Research
3 Comments - Add comment