Check Point Research, a provider of cyber threat intelligence, has published an in-depth review of an analysis they conducted concerning the popular TikTok video-sharing application. This analysis comes on the heels of continued scrutiny of TikTok by the United States government and claims that the TikTok application included multiple vulnerabilities that attackers could use to gain access to users’ accounts and expose sensitive user information.
The first issue included in the report noted that it was possible to send a manipulated SMS message to any phone number on behalf of TikTok via SMS link spoofing. This allowed a potential attacker to send a victim an SMS invite message that would appear trustworthy while including malicious links.
Additionally, Check Point Research found that because the TikTok Android application includes “deep links” functionality attackers were able to exploit the SMS spoofing vulnerability and gain a shocking amount of access to users’ accounts. Check Point Research was able to demonstrate the ability to delete user videos, upload unauthorized videos, make private “hidden” videos public, and reveal private information including email addresses.
After bypassing these restrictions researchers gained access to “email address, payment information, birthdates and much more.” The report of these vulnerabilities noted that after notice was provided to TikTok a solution was deployed to correct the issues. Make sure to check out Check Point Research’s full report for all the gory details.