TikTok Security Flaw Allows Hackers To Gain Complete Access: Report

TikTok Security Flaw Discovered

Some of the findings by the security research were jotted in a blog post. For one, the security researchers were able to send an SMS to a mobile number, posing as TikTok. This functionality can be spotted on the official website, which allows users to download the app. But it can easily be misused by capturing HTTP request and spoof a message with a dangerous link.

Once the malicious link reaches the victim, it can be redirected to a malicious website. The researchers cite it opens the possibility of launching Cross-Site Scripting (XSS), Cross-Site Request Forgery (CSRF), and Sensitive Data Exposure attacks. Further, the hacker can tap into other techniques to follow the victim on the app, which is more dangerous.

At the same time, Check Point Research also found evidence that a subdomain (https://ads.tiktok.com) was vulnerable to XSS attacks. It could allow people with malicious intent to inject scripted in trusted websites. The researchers found the injection point for an XSS attack in the search functionality. TikTok had employed an "unconventional JSONP callback that makes it possible to request data from API servers without CORS and SOP restrictions, which made it possible to steal data by initiating an AJAX request," the blog says.

TikTok Fixes Flaw

The research also discovered that hackers could wreak havoc on a user's account. They could upload videos and clips, change private videos into public, and even misuse sensitive information. Personal information like birth dates, payment details, linked emails, and so on could easily be hacked into.

In other words, a hacker could gain full access and completely take over the account. Check Point Research reported its findings to TikTok before revealing it to the public. Tiktok announced that it has fixed all the vulnerabilities on the app. Even though most of the issues were on the back-end, users have been advised to update TikTok to the latest version.