Jump to content

Serious vulnerabilities fixed in TikTok application

Recommended Posts

Check Point specialists published a report on serious vulnerabilities in the popular TikTok application. With their help, attackers could not only steal user data, but also manipulate their status in the profile and video.

In particular, vulnerabilities allowed you to access other people's accounts and manipulate their content, delete and upload videos, make hidden videos visible to everyone, and disclose personal information stored in your account (for example, email address).

In a study of application security, experts found that the TikTok website allows you to send SMS messages to any phone number on your behalf. An attacker can spoof a message by changing the download_url parameter in an intercepted HTTP request, insert any link, including a malicious one, and send it to the user on behalf of the TikTok team.

An attacker can re-engineer a fake link and send TikTok requests along with the victim's cookies. Other vulnerabilities discovered by researchers can be exploited here. Even without cross-site request forgery, an attacker can execute JavaScript code and perform actions on behalf of the user. Using a combination of POST and GET requests, an attacker can change the privacy settings of hidden videos, create new videos and publish them to the victim's account.

Running JavaScript code also allows you to obtain victim’s personal information through existing API calls, but for this, the attacker will first have to bypass the SOP (domain restriction rule) and CORS (resource sharing between different sources) security mechanisms.

The application developer fixed the vulnerabilities before the publication of the researchers report.


Source: https://www.securitylab.ru/news/503899.php

Share this post

Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Create New...