According to figures released by cybersecurity firms, TikTok managed to break into the Top 5 of the most downloaded apps of 2019, although user interest also attracted the attention of government agencies and researchers interested in the potential security risks in the use of this platform.
This app is under intense scrutiny for issues related to user privacy, censorship of certain types of content and a potential national security risk declared by the US Military due to its potential partnership with the Chinese government.
According to multiple reports, this video sharing app, developed by a Chinese company, presents multiple vulnerabilities that expose its users to various cybersecurity risks. Apparently exploiting these flaws would allow hackers to remotely hijack a TikTok account, all the hacker requires is to know the victim’s phone number.
Researchers from the cybersecurity firm Check Point would make the presence of these flaws revealed in the app, which would allow executing malicious code remotely to perform arbitrary actions usurping the victims.
Vulnerabilities would allow malicious actions such as posting unauthorized content, deleting victims’ videos, or even changing a profile settings, switching from public to private or vice versa.
For the attack, threat actors abuse an SMS system with little security on the official TikTok website. This system allows users to send their phone an SMS, which includes a link to download the application. Cybersecurity experts say an attacker could take advantage of this situation by sending an SMS to any phone number on TikTok’s behalf.
This message could contain a modified URL that would redirect victims to a malicious page for the purpose of injecting malware into the target device.
In combination with cross-site scripting flaws, this attack could allow hackers to run malicious JavaScript when victims interact with the link sent by hackers. This is an attack known as cross-site request forgery. The vulnerability was reported in a timely manner by Check Point, so the latest version of the YA app must be corrected.
TikTok remains under scrutiny from the U.S. government, so more security inconveniences in the app could be revealed shortly. For the time being, the International Institute of Cyber Security (IICS) recommends that users of the app update to the latest version, as well as remain alert to any updates to these reports.
He is a well-known expert in mobile security and malware analysis. He studied Computer Science at NYU and started working as a cyber security analyst in 2003. He is actively working as an anti-malware expert. He also worked for security companies like Kaspersky Lab. His everyday job includes researching about new malware and cyber security incidents. Also he has deep level of knowledge in mobile security and mobile vulnerabilities.