TikTok’s Myriad Security Vulnerabilities Expose API Resources

Check Point Research, a provider of cyber threat intelligence, has published an in-depth review of an analysis they conducted concerning the popular TikTok video-sharing application. This analysis comes on the heels of continued scrutiny of TikTok by the United States government and claims that the TikTok application included multiple vulnerabilities that attackers could use to gain access to users’ accounts and expose sensitive user information.

The first issue included in the report noted that it was possible to send a manipulated SMS message to any phone number on behalf of TikTok via SMS link spoofing. This allowed a potential attacker to send a victim an SMS invite message that would appear trustworthy while including malicious links. 

Additionally, Check Point Research found that because the TikTok Android application includes “deep links” functionality attackers were able to exploit the SMS spoofing vulnerability and gain a shocking amount of access to users’ accounts. Check Point Research was able to demonstrate the ability to delete user videos, upload unauthorized videos, make private “hidden” videos public, and reveal private information including email addresses. 

As the investigation progresses researchers noted that they could execute JavaScript code by using Cross-Site Scripting. The researchers then made requests to various APIs using these JavaScript execution vulnerabilities but were thwarted by security restrictions. The workaround was shocking:

“We found out that Tiktok had implemented an unconventional JSONP Callback that provides a method to request data from API servers without CORS and SOP restrictions! Bypassing those security mechanisms allowed us to steal all the sensitive information of the victims by triggering an AJAX request to the JSONP callback, resulting in JSON data wrapped by a JavaScript Function.”

After bypassing these restrictions researchers gained access to “email address, payment information, birthdates and much more.” The report of these vulnerabilities noted that after notice was provided to TikTok a solution was deployed to correct the issues. Make sure to check out Check Point Research’s full report for all the gory details. 

Be sure to read the next Security article: Google to Require OAuth 2.0 Application Support for G Suite Access