TikTok security flaws enabled attackers to text malware to users and uncover personal information

Setting the bar low for app security

The popular TikTok video-sharing app contained a security flaw that enabled attackers to simply text malware to targets.

That's according to a research report from Check Point Software, which claims that until recent patches the TikTok app contained "multiple" serious security flaws.

The most serious, Check Point claims, was SMS link spoofing, which made it possible to send text messages to any phone number masquerading as TikTok.

"On TikTok's main site: www.tiktok.com, there is a functionality that lets users send an SMS message to themselves in order to download the application. Attackers that wish to send a SMS message to a victim can capture the HTTP request using a proxy tool (such as Burp Suite).

The Mobile parameter contains the phone number to which the SMS will be sent to and the ‘download_url' parameter is the link that will appear in the SMS message," Check Point warned in its research. The download_url parameter can be manipulated so that instead of sending a link to download TikTok, users can be unwittingly redirected to download malware.

The researchers also found that the Android app contained ‘deep link' capabilities that made it possible to revoke intents in the app via a simple browser link. Again, hackers can take advantage of SMS spoofing in order to send custom links to mount their attacks.

"In the course of our research, we found that it is possible to send a malicious link to a victim that will result in redirecting the victim to a malicious website," the Check Point research continues.

"The redirection opens the possibility of accomplishing Cross-Site Scripting (XSS), Cross-Site Request Forgery (CSRF) and Sensitive Data Exposure attacks without user consent.

"The redirection occurs when an attacker sends a legitimate login link derived from Tiktok's domain We found that the login request can contain a HTTP GET parameter redirect_url [that] will redirect the victim to tiktok's domain web pages…

"The redirection process was found to be vulnerable since the validation regex is not validating the value of the redirect_url parameter properly. Rather, the regex validates the parameter value ending with tiktok.com. making it possible to perform a redirection to anything with tiktok.com."

The more Check Point researchers looked into the app, the more they found. "We found that Tiktok's subdomain https://ads.tiktok.com is vulnerable to XSS [cross-site scripting] attacks, a type of attack in which malicious scripts are injected into otherwise benign and trusted websites," the company claims, enabling attackers to perform actions masquerading as their target, including both deleting and creating videos, and switching a private video to a public video.

The researchers also found several API calls that could be used to reveal sensitive user information, including email address, payment information and dates of birth.