CounterPoint Research has detailed a bug buried inside popular Chinese-based short video message platform TikTok, which could let bad actors take over your account. They could do so by just sending an SMS text, using a technique called SMS Link Spoofing.
Through SMS Link Spoofing, hackers could be able to send TikTok users text messages on behalf of the company.
On top of SMS link spoofing, there were also other security foibles like open redirection and cross-site scripting (XSS) that could be combined to take over an account.
Hackers could use TikTok’s site to send users a malicious link via SMS to download the app. Leveraging manipulated javascript code, hackers could then take over the user profile once the user clicks the link.
Impact
The bugs could let attackers;
- Get hold of TikTok accounts and manipulate their content
- Delete videos
- Upload unauthorized videos
- Make private “hidden” videos public
- Reveal personal information saved on the account such as private email addresses
However, the company’s security team reported that no user data was compromised.
“Following a review of customer support records, we can confirm that we have not seen any patterns that would indicate an attack or breach occurred,” said a member of TikTok’s security team.
These multiple bugs were discovered in November 2019 by the security researchers and have since been patched by the company in the December update.
So, there is no threat as of now. But this incites me to give you a reminder that you should always update your apps soon as you come across a newer version.
Follow us on Telegram, Twitter, Facebook, or subscribe to our weekly newsletter to ensure you don’t miss out on any future updates.