Hack TikTok – Multiple Vulnerabilities Found

Hack TikTok

High severity vulnerabilities found in TikTok App, which could allowed hackers to hack TikTok account.

TikTok is one of the most famous download apps, mostly its users are teenagers. Over 1 Billion users globally and available in 75 languages.

According to Check Point Research teams discovered multiple vulnerabilities within the TikTok application. The vulnerabilities described in this research allow attackers to do the following:

  • Get a hold of hack TikTok accounts and manipulate their content
  • Delete videos
  • Upload unauthorized videos
  • Make private “hidden” videos public
  • Reveal personal information saved on the account such as private email addresses.

How TikTok account could Hack?

By SMS link Spoofing

During research, it is possible to send a SMS message to any phone number on behalf of TikTok.

Cyber attackers can tempered the HTTP request to send an SMS. The Mobile parameter contains the phone number to which the SMS will be sent to and the download_url parameter is the link that will appear in the SMS message:

Tiktok SMS Burpsuite

Tiktok Legitimate SMS

By changing the download_url parameter will result in a spoofed SMS message that will contain the link the attacker chooses to type.

TikTok Open Redirection Vulnerability

By Open redirection with domain regex bypass

The redirection occurs when an attacker sends a legitimate login link derived from Tiktok’s domain:

https://login.tiktok.com.

 
Cyber security researchers found that the login request can contain a HTTP GET parameter redirect_url, an example to a login request that will redirect the user after a successful login attempt –
 

https://login.tiktok.com/?redirect_url=https://www.tiktok.com

 
The redirection parameter will redirect the victim to tiktok’s domain web pages according to the following validation regex (client side only).

The redirection process was found to be vulnerable since the validation regex is not validating the value of the redirect_url parameter properly. Rather, the regex validates the parameter value ending with tiktok.com and making it possible to perform a redirection to anything with tiktok.com.

Cross-Site Scripting (XSS) Vulnerability found on Tiktok subdomain

As per research continued , researcher found that Tiktok’s subdomain https://ads.tiktok.com is vulnerable to XSS attacks, a type of attack in which malicious scripts are injected into otherwise benign and trusted websites.

The ads subdomain contains a help center where you can find information on how to create and publish ads in Tiktok. The help center, available at https://ads.tiktok.com/help/, contains a search vulnerability.

The injection point of the XSS attack was found in the search functionality. When an attacker tries to perform a search, an HTTP GET request is performed to the web application server with a q parameter and the searched string as its value.

The following screenshot shows a legitimate search performed by the attacker, searching for the word “pwned”:
 

https://ads.tiktok.com/help/search?q=pwned

 
The attacker tries to inject JavaScript code into the q parameter (the injected value is URL encoded).

For the purpose of demonstration, we have popped an alert window with the content “xss”:

https://ads.tiktok.com/help/search?q=%22%3Cscript%20src%20%3Djavascript%3Aalert%28%29%3E

TikTok XSS

Cross-site Request Forgery (CSRF)

CSRF Vulnerability found in TikTok. At this point, the researchers had two different flows that we could execute JavaScript code on behalf of any victim that clicked the link we sent (as explained in SMS Link Spoofing) – XSS and open redirection (redirecting the user to a malicious website that will execute JavaScript code and make requests to Tiktok with the victims’ cookies).

With the lack of anti-Cross-Site request forgery mechanism, security researchers have realized that they could execute JavaScript code and perform actions on behalf of the victim, without his/her consent and can hack tiktok.

By Deleting video

Deleting a video can be made via HTTP GET request to

https://api-t.tiktok.com/aweme/v1/aweme/delete/?aweme_id=video_id

 

Using JavaScript execution as mentioned above, we could send the HTTP GET request with the desired aweme_id (video id) of the video the attacker wishes to delete.

The following screenshot demonstrates a request deletion of video id 6755373615039991045:

TikTok Video Delete

Change a private video to a public video

In order to change a video from private mode to public mode, the attacker has to retrieve the video id.
Retrieving the video id is possible while the attacker is a follower of the victim as explained above.

Once the attacker has a video id of a private video, he/she can change the video privacy settings by sending a HTTP GET request on behalf of the user (using the JavaScript execution as written above):

 

https://api-m.tiktok.com/aweme/v1/aweme/modify/visibility/?aweme_id=video_id&type=1&aid=1233&mcc_mnc=42503

 

Please note that with “type=1” the requested video will be changed to public mode while “type=2” will cause a video to turn private.

The following screenshot demonstrates a HTTP GET request to change video id 6755813399445261573 from private mode to public mode:

Tiktok private video to public

After that, the server response indicates that the video turned into public.

All TikTok Vulnerabilities Fixed

Check Point researchers submitted all these vulnerabilities to ByteDance, the TikTok developer.

Overall, the TikTok fixed the vulnerabilities and updated its latest version. You need to update from it’s official app store for iOS and Android.

“TikTok is committed to protecting user data. Like many organizations, we encourage responsible security researchers to privately disclose zero day vulnerabilities to us. Before public disclosure, Check Point agreed that all reported issues were patched in the latest version of our app. We hope that this successful resolution will encourage future collaboration with security researchers,” said Luke Deshotels, PhD, TikTok Security Team. “Following a review of customer support records, we can confirm that we have not seen any patterns that would indicate an attack or breach occurred.”

Get full research at Checkpoint.

For the latest update about Cyber and Infosec World, follow us on Twitter, Facebook, Telegram , Instagram and subscribe to our YouTube Channel.

Subscribe to HackersOnlineClub via Email

Enter your Email address to receive notifications of Latest Posts by Email | Join over Million Followers

More from Priyanshu Sahay

Twitter New Bug Leaked Users Phone Number Country Code

Twitter unveiled, there are unusual activity from China and Saudi Arabia on...
Read More

Leave a Reply