It has been reported that multiple vulnerabilities have been found within smartphone video sharing app, TikTok, which it now says have been fixed. The vulnerabilities had the potential to allow hackers to manipulate content and extract personal data, according to Israeli-based cybersecurity company, Check Point.
Researchers found that it was possible to spoof text messages to make them appear to have come from TikTok. Once a user clicked the fake link, a hacker would have been able to access parts of their TikTok account, which meant having the power to upload and delete videos and change settings on existing videos from public to private. The researchers also found that TikTok’s infrastructure was unsecure as it would have allowed a hacker to redirect a hacked user to a malicious website that looked like TikTok’s homepage.
Tim Mackey, Principal Security Strategist at the Synopsys CyRC (Cybersecurity Research Centre), said: “With 40% of TikTok users being between 10-19, the ability for this user base to detect or understand the implications of any scam are limited. Developers of apps targeting or popular with teens then have a social responsibility to protect their install base from threats designed to harvest their data or scam them. While TikTok was able to patch the issues identified by Check Point Research, during investigation of the issue the attack path would’ve been investigated. Developers performing this research would likely have identified not only the specific attack method, but could likely have discovered additional potential areas for user data to become compromised. This investigative process is common when faced with any security issue, but in addition to the patch, the development team should’ve updated their threat models and performed a more thorough review of the security of their application. By both creating a patch and updating a threat model, an organisation can effectively prevent future attacks as developers tend to repeat coding patterns and if a given coding pattern leads to security issue under one condition, it likely leads to security issues when used elsewhere in the application.”