China-Made TikTok Riddled Security Holes: App Researchers

Tik Tok

TikTok is a regional mobile phone device developed by China. Its purpose is to create short lip-synced comedy or talented video clips of 3 to 15 seconds or up to 60 seconds looped. It is especially popular among young people, who use it primarily for selling themselves or showing off.

The app was developed in 2016 by ByteDance based in Beijing and launched in 2017 on the global market for Android and iOS. It now has over 1 billion users, not just a few critics. The alliance between Chinese businesses and the Chinese government is the source of this concern. Introducing legislation that would prohibit U.S. companies from storing U.S. personal data in countries like China and Russia, Senator Josh Hawley (R-Mo.) commented, “If your child uses TikTok, the Chinese Communist Party will have a chance to know where they are, what they look like, what their voices sound like, and what they are watching.” “The Chinese government has never asked us to remove any content, and if asked, we would not do so. Period,” he said.

The U.S. has led to such concerns. In order to ban its use on government phones at the end of 2019, the army overturned an earlier strategy using TikTok as a recruiting tool. Likewise, ten days earlier, the U.S. Navy banned the use of TikTok on government phones.

Now it seems that the Chinese government is not the only possible target for its material that should alarm consumers of TikTok— Check Point found multiple bugs that could be easily exploited in the program. This could lead an attacker to upload false videos and remove genuine videos, change video status from private to public, and extract sensitive personal data such as full names of users, email addresses, and birthdays.

The website of TikTok requires users to send an SMS message to enable them to download the app. A proxy tool such as Burp Suite can capture the response. This includes both the destination’s phone number and the app’s access Link. Under the control of the attackers, the download URL can be modified to a site (for example, tiktok-usa.com, which is currently unused and available). The user could download malware or a modified version of TikTok automatically if not detected.

Another vulnerability is described as’ domain regex bypass open redirection.’ “The redirection process was found to be vulnerable,” say the Check Point researchers, “because the regex validation does not properly validate the redirect url parameter value. Rather, the regex validates the end value of the parameter value with tiktok.com, enabling redirection to anything with tiktok.com.” As a result, attackers could redirect the user to their own site if they did so.

In the ad.tiktok(.)com subdomain, the researchers also found an XSS vulnerability, which features a help center that provides a search tool. The proper search format ends in’ q= search term. They found that JavaScript could be injected into the parameter ‘ q.’

Together, the researchers found that they could both delete an existing user video and create a new one. For example, the creation requires the attacker to send a request on his own feed to create a video. It establishes a new I d for the file. Then, using the execution of JavaScript, the researchers say, “the attacker posts the request for video creation he copied and sends the request for HTTP POST on behalf of the victim.” As a result, the video of the attacker appears in the feed of the victim.

Other possibilities open to the attacker include becoming the follower of a victim without the victim approving the following, and changing the private videos of the victim to public videos.

The researchers finally found they were able to exfiltrate TikTok’s personal data from a victim. They find API calls in the subdomains https:/api-t.tiktok(.)com and https:/api-m.tiktok(.)com. While these were protected by the mechanism of Cross Origin Resource Sharing (CORS) and Same Origin Policy (SOP) security restrictions, they also found an unconventional JSONP callback that bypassed the security constraints.

“Bypassing those security mechanisms,” say the researchers, “allowed us to steal all the sensitive information of the victims by triggering an AJAX request to the JSONP callback, resulting in JSON data wrapped by JavaScript function.” This data can be sent to the attacker’s server.

“Data is pervasive, and our latest research shows that the most popular apps are still at risk,” said Oded Vanunu, Check Point’s head of product vulnerability research. “Social media applications are highly targeted for vulnerabilities as they provide a good source of personal, private data and offer a large attack surface. Malicious actors are spending large amounts of money and time to try and penetrate these hugely popular applications — yet most users are under the assumption that they are protected by the app they are using.”

Check Point Research informed TikTok developers about the vulnerabilities that were identified in this research and a solution was developed responsibly to ensure that its users could continue to use the TikTok app safely. However, ensuring that all app downloads come only from trusted and reliable suppliers remains important.

Mark Funk
Mark Funk is an experienced information security specialist who works with enterprises to mature and improve their enterprise security programs. Previously, he worked as a security news reporter.