It has been reported that multiple vulnerabilities have been found within video sharing app TikTok. Security researchers found that it was possible to spoof text messages to make them appear to come from TikTok. Once a user clicked the fake link, a hacker would have been able to access parts of their TikTok account, including uploading and deleting videos and changing settings on existing videos from public to private. The researchers also found that TikTok’s infrastructure would have allowed a hacker to redirect a hacked user to a malicious website that looked like TikTok’s homepage. This could have been combined with cross-site scripting and other attacks on the user’s account.
A security vulnerability on TikTok exposed users’ personal information to hackers during much of last year.https://t.co/wRH0ZddPQz
— New York Daily News (@NYDailyNews) January 8, 2020
As long as its economically viable to steal identities – hackers will constantly look to evolve their tactics. This is especially troubling with mobile apps, where users are conditioned to receive notifications and alerts via SMS. If a hacker has your phone number, they essentially have a highly effective channel for corrupting your credentials (for a multitude of apps.)
Organizations must understand that in a connected, global economy – a person’s identity is ultimately the perimeter of an application. Usernames and passwords as a primary authentication model are not effective and additional authentication measures must be implemented – especially if access is coming from an unusual location.
SMS is often used by two-factor authentication solution providers but this is highly problematic, and we’ve seen time and time again that SMS codes can and have been hijacked or intercepted by bad actors and malware. This TikTok vulnerability raises the question of whether similar security issues can be used to exploit 2FA in the future. If so, that’s a scary prospect, and this is why we continue to advocate for biometric-based authentication, which has much higher levels of identity assurance than SMS and 2FA.
Malicious actors are always looking for vulnerabilities, so TikTok should not be shamed for being targeted. The fact that they are taking ownership and offering quick support updates to mitigate the risk to their users is a positive step that should be commended.
One of the main vulnerabilities in question involved hackers being able to access phone numbers and send texts, which should serve as a warning that SMS messages must always be taken with precaution due to their lack of security. People should always think twice before clicking on a link in a message, but when the SMS looks legitimate, people often still follow through with the request.
Auto updates are always the best way to keep up to speed with apps like TikTok. They will then look after themselves, so auto updating in the background should provide peace of mind.
With 40% of TikTok users being between 10-19, the ability for this user base to detect or understand the implications of any scam are limited. Developers of apps targeting or popular with teens then have a social responsibility to protect their install base from threats designed to harvest their data or scam them. While TikTok was able to patch the issues identified by Check Point Research, during investigation of the issue the attack path would’ve been investigated. Developers performing this research would likely have identified not only the specific attack method, but could likely have discovered additional potential areas for user data to become compromised. This investigative process is common when faced with any security issue, but in addition to the patch the development team should’ve updated their threat models and performed a more thorough review of the security of their application. By both creating a patch and updating a threat model, an organisation can effectively prevent future attacks as developers tend to repeat coding patterns and if a given coding pattern leads to security issue under one condition, it likely leads to security issues when used elsewhere in the application.