In a popular Chinese application, TikTok discovered several vulnerabilities that allow attackers to capture and manage the target user account of a social network.
A Check Point study reveals vulnerabilities in the TikTok system. On the official website of the social network there is a function that allows users to send themselves SMS to download the application. Attackers can use this option to send fake SMS to the victim.
Having intercepted the HTTP request, they get at their disposal a phone number (Mobile parameter) and the ability to replace the link that appears in SMS (download_url parameter). As a result, a user who trusts the source downloads a fake application with all the ensuing consequences.
In addition, the researchers found a vulnerability on the side of the TikTok Android application, which has the “deep links” function for invoking “Intents-intentions”. Intent is an asynchronous message that allows application components to send a request for the functionality of other Android components. In particular, in TikTok this method is used to implement the schemes “https://m.tiktok.com” and “musically: //”.
Attackers using the SMS Link Spoofing vulnerability can send a user a link containing one of the specified schemes. As a result, the mobile application will open a browser window and go to a fake web page. By clicking on the spoofed link, the user will be redirected to a third-party site. The redirect process has a vulnerability because the redirect_url parameter is not properly controlled during verification. In particular, the target site must end with “tiktok.com”, that is, an attacker can redirect the user to something with “tiktok.com”, for example, “attacker-tiktok.com”.
Redirection opens the possibility of cross-site scripting (XSS), cross-site request forgery (CSRF attack), and disclosure of sensitive data without user consent. As a result, attackers can perform the following actions: a
Capture and manage TikTok accounts
Download unauthorized videos
setting the status of “public” for “hidden” videos;
Retrieving personal information from an account, such as an email address.
Check Point Research reported that they informed TikTok developers about vulnerabilities that have already been fixed. In 2019, the social network had more than a billion users (75 languages, 150 markets), mainly children and adolescents. The application is used to create music videos and share short videos. At the same time, one of the most downloaded services in the world has other problems associated with its Chinese “registration”. The US Navy banned its employees from using TikTok, and the US Army “banned” the application on business phones, although more recently it used it as a tool for recruiting