CounterPoint Research has detailed a bug buried inside popular Chinese-based short video message platform TikTok, which could let bad actors take over your account. They could do so by just sending an SMS text, using a technique called SMS Link Spoofing.

Through SMS Link Spoofing, hackers could be able to send TikTok users text messages on behalf of the company.

On top of SMS link spoofing, there were also other security foibles like open redirection and cross-site scripting (XSS) that could be combined to take over an account.

Hackers could use TikTok’s site to send users a malicious link via SMS to download the app. Leveraging manipulated javascript code, hackers could then take over the user profile once the user clicks the link.

Impact

The bugs could let attackers;

  • Get hold of TikTok accounts and manipulate their content
  • Delete videos
  • Upload unauthorized videos
  • Make private “hidden” videos public
  • Reveal personal information saved on the account such as private email addresses

However, the company’s security team reported that no user data was compromised.

Advertisement

Leave us a comment