TikTok has confirmed that it has fixed a vulnerability that allowed hackers to manipulate content, upload unauthorized videos, make private ‘hidden’ videos public, delete videos, and extract confidential information of users via an SMS containing a malicious link. The company says most of the fixes were on the back-end and users are recommended to update their apps to the latest version to be on the safe side.
A Check Point Research report revealed the bug by mentioning it in a blog post. The bug allowed potential hackers to send an SMS message to a mobile number on behalf of TikTok. While the functionality is available on the official TikTok website to let users download the app, hackers could capture HTTP request using a proxy tool and spoof a message that contained harmful links. The link could redirect users to a malicious website, launching Cross-Site Scripting (XSS), Cross-Site Request Forgery (CSRF), and Sensitive Data Exposure attacks.
The report also notes that TikTok employed an unconventional JSONP callback, which allows to request data from API servers without CORS and SOP restrictions. As a result, data could be stolen by initiating an AJAX request. Thankfully, Check Point Research informed TikTok about the vulnerability before making the findings public.
Luke Deshotels from TikTok Security Team said, “TikTok is committed to protecting user data. Like many organisations, we encourage responsible security researchers to privately disclose zero-day vulnerabilities to us. Before public disclosure, CheckPoint agreed that all reported issues were patched in the latest version of our app. We hope that this successful resolution will encourage future collaboration with security researchers.”