TikTok Patches Critical Account Takeover Bugs

TikTok Patches Critical Account Takeover Bugs

TikTok has been forced to patch several critical vulnerabilities which may have allowed hackers to hijack user accounts and steal personal data.

Check Point researchers discovered the flaws in the wildly popular social media platform, including one SMS link spoofing bug affecting a feature on the main TikTok site that lets users send a message to their phone to download the app.

This could allow attackers able to find out a victim’s phone number to send them a custom malicious link, enabling them to take over an account and delete videos, post content and make private videos public.

Check Point also discovered a cross-site scripting (XSS) vulnerability in an ads subdomain of the main TikTok site; specifically in a help center section. This could allow attackers to inject malicious JavaScript into the site to harvest personal user account info, the firm warned.

These bugs were amplified by the lack of anti-cross-site request forgery mechanism, it added in a blog post.

“Social media applications are highly targeted for vulnerabilities as they provide a good source for private data and offer a good attack surface,” explained Check Point head of product vulnerability research, Oded Vanunu.

“Malicious actors are spending large amounts of money and putting in great effort to penetrate into such huge applications. Yet most users are under the assumption that they are protected by the app they are using.”

TikTok patched the bugs in its latest version of the app, although security concerns about the company persist in Washington, thanks to its Chinese ownership.

Beijing-based ByteDance bought the app from US firm Music.ly in 2017, but given its popularity in the States, lawmakers are becoming increasingly uneasy about the purchase.

Reports suggest that both the US Army and Navy have banned servicemen and women from using the app on government-issued devices.

In the meantime, the increasingly powerful Committee on Foreign Investment in the United States (CFIUS) has launched an inquiry into whether the user data TikTok collects represents a national security risk. 

Source: Information Security Magazine