Caught on camera
Multiple security vulnerabilities have been uncovered in popular video sharing app TikTok.
Researchers at Check Point have gone public with flaws that made it possible to hack a TikTok account by sending an SMS message, among other exploits.
After a user clicked on a malicious link in a spoofed text message, an attacker would have been able to gain access to their TikTok account.
Such compromised access created a mechanism for attackers to delete or add a video to accounts, make hidden public videos public, or steal personal information such as private email addresses.
All this was possible because TikTok’s web infrastructure made it possible to redirect a targeted user to a malicious website that looked like the Chinese developer’s homepage.
This security shortcoming could be combined with cross-site scripting (XSS), cross-site request forgery (CSRF), and other exploits to effectively hijack accounts, as explained in a blog post by Check Point.
The researchers only went public with their findings after first disclosing the flaws to TikTok and allowing developers to put together and release appropriate security patches.
TikTok is mainly used by teenagers to create and share short music clips or looping videos.
Tim Mackey, principal security strategist at the Synopsys Cybersecurity Research Centre, said that developers of apps targeting or popular with teens have a particular social responsibility to protect their install base from threats designed to harvest their data or scam them.