The original name of the app is Douyin which means “shake the music” in Chinese. This name comes in handy, since it is a social network based on sharing small music clips. However, outside of China it is called TikTok, and you can find it available for both iOS and Android.
TikTok allows you to create, edit and upload 1-minute music videoselfies, being able to apply various effects and add a musical background to them. It also has some Artificial Intelligence functions, and includes striking special effects, filters, and augmented reality features, so we know this application is very popular globally but as in everything there are always risks which we will see.
TikTok vulnerabilities
Check Point Research researchers discovered multiple vulnerabilities within the Tik Tok application. The vulnerabilities described in this research allow attackers to do the following:
▸Get TikTok accounts and manipulate their content
▸Delete videos
▸Upload unauthorized videos
▸Make private “hidden” videos public
▸Reveal personal information stored in the account, such as private email addresses
All of these can be exploited by criminals using methods such as:
▸Deep link
The TikTok application on Android has a “deep linking” functionality, which makes it possible to invoke a browser link through the app. Attackers using the above SMS link spoofing vulnerability can send a custom link containing the above mentioned schemes. Since the custom link will contain the “url” parameter, the mobile application will open a browser window and go to the web page written in the mobile application parameter. Any request will be sent with the users’ cookies.
▸SMS link spoofing
It is possible to send an SMS message to any phone number on behalf of TikTok. In the main site of this application which there is a functionality that allows users to send an SMS message to themselves to download the application.
▸Become a follower
Attackers looking to become followers of a victim’s account send a request to the victim and the victim has to approve the request. To approve the follower request, the attacker uses the JavaScript execution methods described above and submits an approval request on behalf of the victim. This request has a parameter, from_user_id, which contains the identification of the user who wants to be a follower. The attacker changes the value of the from user id parameter to his own id and sends the request to the TikTok server.
Read also:
Are social networks really safe and private?
Vulnerabilities on Social Networks that affected users
