Researchers Have Discovered Multiple Security Vulnerabilities Within the Popular TikTok Application
TikTok is a China-made global phenomenon mobile phone app. Its purpose is to create short lip-synced comedy or talent video clips of between 3 and 15 seconds or looped up to 60 seconds. It is particularly popular among the young, who largely use it for self-publicity or showing off.
The app was developed by Beijing-based ByteDance in 2016, and launched into the global Android and iOS market in 2017. It now has more than 1 billion users; and not a few critics. The basis of this concern is the relationship between Chinese companies and the Chinese government. Introducing legislation that would prohibit U.S. companies from storing American personal data in countries such as China and Russia, Senator Josh Hawley (R-Mo.) commented, “If your child uses TikTok, there’s a chance the Chinese Communist Party knows where they are, what they look like, what their voices sound like, and what they’re watching.”
In October 2019, two senators warned that Chinese law could compel the company “to support and cooperate with intelligence work controlled by the Chinese Communist Party.” TikTok — separate to the Chinese version of the software — is now headquartered in Los Angeles, and denies this. “We have never been asked by the Chinese government to remove any content and we would not do so if asked. Period,” it said.
Such concerns led the U.S. Army to ban its use on government phones at the end of 2019, reversing an earlier approach that had used TikTok as a recruiting tool. The U.S. Navy had similarly banned the use of TikTok on government phones ten days earlier.
Now it seems that the Chinese government is not the only potential destination for their content that should worry TikTok users — Check Point found multiple vulnerabilities in the app that could easily be exploited. These could lead to an attacker uploading false videos and deleting genuine videos, changing video status from private to public, and extracting sensitive personal data, such as users’ full names, email addresses and birthdays.
TikTok’s website allows users to send themselves an SMS message that will allow them to download the app. The response can be captured with a proxy tool such as Burp Suite. It contains both the phone number of the intended destination and the download URL for the app. The download URL can be modified to a site under the attackers’ control (for example, tiktok-usa.com, which is currently unused and available). If not detected, the user could automatically download malware or a modified version of TikTok.
A further vulnerability is described as ‘open redirection with domain regex bypass’. “The redirection process was found to be vulnerable,” say the Check Point researchers, “since the validation regex is not validating the value of the redirect_url parameter properly. Rather, the regex validates the parameter value ending with tiktok.com. making it possible to perform a redirection to anything with tiktok.com.” As a result, attackers could redirect the user to their own site if it were something like http://www.attacker-tiktok(.)com.
The researchers also found an XSS flaw in the ad.tiktok(.)com subdomain, which contains a help center that includes a search facility. The correct format for a search ends in ‘q=search_term. They found they could inject JavaScript into the ‘q’ parameter.
Putting the vulnerabilities together, the researchers found they could both delete an existing user video and create a new one. The creation, for example, first requires the attacker to send a request to create a video on his own feed. This generates a new video id. Then, using the JavaScript execution, say the researchers, “the attacker posts the video creation request he copied and sends the HTTP POST request on behalf of the victim.” The result is that the attacker’s video appears in the victim’s feed.
Other possibilities open to the attacker include becoming a victim’s follower without the victim approving the follow, and changing the victim’s private videos to public videos.
Finally, the researchers found they could exfiltrate a victim’s personal data from TikTok. They discovered API calls in https://api-t.tiktok(.)com and https://api-m.tiktok(.)com subdomains. Although these were protected by Cross Origin Resource Sharing (CORS) mechanism and Same Origin Policy (SOP) security restrictions, they also found an unconventional JSONP callback that bypassed the security restrictions.
“Bypassing those security mechanisms,” say the researchers, “allowed us to steal all the sensitive information of the victims by triggering an AJAX request to the JSONP callback, resulting in JSON data wrapped by JavaScript function.” This data can be sent to the attacker’s server.
“Data is pervasive, and our latest research shows that the most popular apps are still at risk,” said Oded Vanunu, Check Point’s head of product vulnerability research. “Social media applications are highly targeted for vulnerabilities as they provide a good source of personal, private data and offer a large attack surface. Malicious actors are spending large amounts of money and time to try and penetrate these hugely popular applications — yet most users are under the assumption that they are protected by the app they are using.”
Check Point Research informed TikTok developers about the vulnerabilities exposed in this research and a solution was responsibly deployed to ensure its users can safely continue using the TikTok app. It remains important, however, to ensure that all app downloads only come from trusted and reliable suppliers.
Luke Deshotels, PhD, from the TikTok security team said in a statement, “We encourage responsible security researchers to privately disclose zero-day vulnerabilities to us. Before public disclosure, Check Point agreed that all reported issues were patched in the latest version of our app. We hope that this successful resolution will encourage future collaboration with security researchers.”
Related: Long-Patched Vulnerabilities Still Present in Many Popular Android Apps
Related: DLL Hijacking Flaw Patched in Check Point Endpoint Security
Related: Researchers Demonstrate Ransomware Attack on DSLR Camera
