High severity vulnerabilities found in TikTok App, which could allowed hackers to hack TikTok account.
TikTok is one of the most famous download apps, mostly its users are teenagers. Over 1 Billion users globally and available in 75 languages.
According to Check Point Research teams discovered multiple vulnerabilities within the TikTok application. The vulnerabilities described in this research allow attackers to do the following:
- Get a hold of hack TikTok accounts and manipulate their content
- Delete videos
- Upload unauthorized videos
- Make private “hidden” videos public
- Reveal personal information saved on the account such as private email addresses.
How TikTok account could Hack?
By SMS link Spoofing
During research, it is possible to send a SMS message to any phone number on behalf of TikTok.
Cyber attackers can tempered the HTTP request to send an SMS. The Mobile parameter contains the phone number to which the SMS will be sent to and the download_url parameter is the link that will appear in the SMS message:
By changing the download_url parameter will result in a spoofed SMS message that will contain the link the attacker chooses to type.
TikTok Open Redirection Vulnerability
By Open redirection with domain regex bypass
The redirection occurs when an attacker sends a legitimate login link derived from Tiktok’s domain:
Cyber security researchers found that the login request can contain a HTTP GET parameter redirect_url, an example to a login request that will redirect the user after a successful login attempt –
The redirection parameter will redirect the victim to tiktok’s domain web pages according to the following validation regex (client side only).
The redirection process was found to be vulnerable since the validation regex is not validating the value of the redirect_url parameter properly. Rather, the regex validates the parameter value ending with tiktok.com and making it possible to perform a redirection to anything with tiktok.com.
Cross-Site Scripting (XSS) Vulnerability found on Tiktok subdomain
As per research continued , researcher found that Tiktok’s subdomain https://ads.tiktok.com is vulnerable to XSS attacks, a type of attack in which malicious scripts are injected into otherwise benign and trusted websites.
The ads subdomain contains a help center where you can find information on how to create and publish ads in Tiktok. The help center, available at https://ads.tiktok.com/help/, contains a search vulnerability.
The injection point of the XSS attack was found in the search functionality. When an attacker tries to perform a search, an HTTP GET request is performed to the web application server with a q parameter and the searched string as its value.
The following screenshot shows a legitimate search performed by the attacker, searching for the word “pwned”:
For the purpose of demonstration, we have popped an alert window with the content “xss”:
Cross-site Request Forgery (CSRF)
By Deleting video
Deleting a video can be made via HTTP GET request to
The following screenshot demonstrates a request deletion of video id 6755373615039991045:
Change a private video to a public video
In order to change a video from private mode to public mode, the attacker has to retrieve the video id.
Retrieving the video id is possible while the attacker is a follower of the victim as explained above.
Please note that with “type=1” the requested video will be changed to public mode while “type=2” will cause a video to turn private.
The following screenshot demonstrates a HTTP GET request to change video id 6755813399445261573 from private mode to public mode:
After that, the server response indicates that the video turned into public.
All TikTok Vulnerabilities Fixed
Check Point researchers submitted all these vulnerabilities to ByteDance, the TikTok developer.
Overall, the TikTok fixed the vulnerabilities and updated its latest version. You need to update from it’s official app store for iOS and Android.
“TikTok is committed to protecting user data. Like many organizations, we encourage responsible security researchers to privately disclose zero day vulnerabilities to us. Before public disclosure, Check Point agreed that all reported issues were patched in the latest version of our app. We hope that this successful resolution will encourage future collaboration with security researchers,” said Luke Deshotels, PhD, TikTok Security Team. “Following a review of customer support records, we can confirm that we have not seen any patterns that would indicate an attack or breach occurred.”
Get full research at Checkpoint.