Security researchers have discovered a number of vulnerabilities in the popular video app Tiktok. At the heart of the vulnerability was a feature on the Tiktok website that allowed attackers to text Tiktok to their potential victims. The attacker could then have integrated his own link into the SMS. This way you could have forwarded victims to a phishing site. It was also possible to send commands to the victim’s Tiktok app using the link, for example to delete or create videos on your behalf. In addition, private videos could have been converted into public videos.
Tiktok User Data Was At Risk
The researchers also found a way in their tests to access sensitive user data such as email address, date of birth or payment information via the Tiktok API. There were security mechanisms that should have prevented unauthorized access to this data, but the security experts were able to override them.
Attackers were able to use the vulnerabilities to access and manipulate the content and user accounts of Tiktok users. The attackers were also able to gain access to the user accounts and thus obtain personal information such as email addresses and contact details. The attackers only had to send a fake SMS message to a user with a correspondingly prepared link. As soon as this link was clicked, the attackers could access the user account. In this way, unauthorized persons could also gain access to private videos of Tiktok users.
Marketing Threat On Tiktok?
More and more brands and companies are also creating an account on TikTok in order to reach the young target group. The download numbers show how high the marketing potential of the platform can be, but company accounts also have to deal with the security of the platform. The US Army recently prohibited its soldiers from using the app on their service smartphone after attempting to recruit new soldiers via the platform in October. They stated that TikTok was a potential security risk for the United States.