TikTok: multiple security issues

TikTok, the famous Chinese video-sharing and the 3rd most downloaded app in 2019, was recently facing intense criticism about the users’ privacy and the security of their accounts.

According to USA Today, the US Navy banned the use of the application for its personnel, while in an article by The Guardian, Senior Democrat Chuck Schumer says that the “TikTok app poses potential national security risk”.

In addition, the New York Times has published that TikTok is under national security review.

In a report shared with The Hacker News by cybersecurity researchers at Checkpoint, mulitple vulnerabilities were found on the app that could allow hackers to remotely execute malicious code and perform unwanted actions on behalf of the victims without their consent.

The reported vulnerabilities include low severity issues like SMS link spoofing, open redirection, and cross-site scripting (XSS) that when combined could allow a remote attacker to perform high impact attacks.

Technical details about the reported vulnerabilities

Demo video of the attack

SMS Link Spoofing

During the research, Checkpoint found that it is possible to send a SMS to any phone number on behalf of TikTok.

TikTok offers a functionality on their official website that lets users send an SMS message to themselves in order to download the application. Attackers can abuse this feature by capturing the HTTP request using a proxy tool (like Burp Suite) and change the download url to any malicious url. This is possible because TikTok inlcudes the phone number to which the SMS will be sent to and the download_url parameter which is the link that will appear in the SMS message in the request that can be intercepted.

Deep links enable attackers’ intents

While reverse engineering the TikTok app on an Android mobile, Checkpoint researchers found that it has a “deep links” functionality, making it possible to invoke intents in the app via a browser link.

If the attackers combine this feature with the SMS link spoofing vulnerability, they can send a custom link. Since the custom link will contain the “url” parameter, the mobile application will open a webview (browser) window and go to the webpage written in the parameter from the mobile application. Any request will be sent with the users’ cookies, making it possible for attackers to send requests on behalf of the user.

Open redirection with domain regex bypass

The researchers were to also able to find that it is possible to send a malicious link to a victim that will result in redirecting the victim to a malicious website.

The redirection occurs when an attacker sends a legitimate login link derived from Tiktok’s domain: https://login.tiktok.com.

The redirection parameter will redirect the victim to tiktok’s domain web pages according to the following validation regex (client side only):

/^https?:\/\/[^/]*tiktok\.com(?!\.)(?!\w)/

The redirection opens the possibility of accomplishing Cross-Site Scripting (XSS), Cross-Site Request Forgery (CSRF) and Sensitive Data Exposure attacks without user consent.

Cross-Site Scripting (XSS)

In their report, Checkpoint researchers mentioned that the subdomain https://ads.tiktok.com is vulnerable to XSS attacks.

The injection point of the XSS attack was found in the search functionality. When an attacker tries to perform a search, an HTTP GET request is performed to the web application server with a q parameter and the searched string as its value.

More technical details are available in the official research shared by Checkpoint.

Impact of vulnerabilities combined

The vulnerabilities allow attackers to do the following::

Getting a hold of TikTok accounts and manipulate their content,
deleting any videos from victims’ TikTok profile,
uploading unauthorized videos to victims’ TikTok profile,
making private “hidden” videos public,
revealing personal information saved on the account, such as private addresses and emails.

Patches

Check Point responsibly reported these vulnerabilities to ByteDance, the developer of TikTok, in late November 2019, who then released a patched version of its mobile app within a month to protect its users from hackers.