Ad Home

Loophole in TikTok allows hackers to send malware with SMS !

Loophole in TikTok allows hackers to send malware with SMS !

Tiktok app has taken the world by storm. At the same time, it has also come under fire for being unproductive and a bad influence to a degree that recently US military had to ban TikTok over privacy concerns.

However, even more, is its association with the Chinese government inviting “spyware” allegations. While these may or may not be true, recently with the help of Checkpoint, the app was found to have several vulnerabilities that now have been fixed thankfully.TikTok is a very popular video snippet creation and sharing platform, counting over 1 billion users from 150 countries, so any security issue in it has the potential to affect a large number of people. TikTok is created by a Chinese company named “Byte Dance”, and which has raised worries about what it does with the user data it collects. Some have called TikTok a national security risk, and the US army has banned its use from its personnel.

Vulnerability in TIKTOK:

TikTok was carrying a vulnerability that enabled malicious actors to send malware to the users of the app. Called “SMS Link Spoofing”, this attack is based on the platform’s capability to send an SMS to someone for the purpose of downloading the app. An attacker would capture the HTTP request using a proxy tool, change the “download_url” parameter in the SMS message, and send a malware payload to the victim’s device instead of the TikTok app. The researchers have demonstrated various ways to exploit this attack method and spoof the request with the users’ cookies when the browser was opened.

When the victim is redirected to the malicious website, the actors could decide among cross-site scripting (XSS), Cross-Site Request Forgery (CSRF), or Sensitive Data Exposure (email addresses and birth dates) attacks without the victim having to take any additional action. Other exploits include the changing of videos from being private to being public, or the deletion of user videos. Since there’s no validation of the redirection URL taking place in the app, the trick will work as long as the hacker uses a domain that ends with “”. Not all of the exploit methods from then on are of the same complexity, or of equal criticality, but the step to initiate them is fairly simple.

If you regularly make payments online, start with removing that payment information once done. Such simple precautions can go a long way eventually towards your security.

To know about latest happenings in technology industry check out other posts of Thanks For Your Time !

No comments