Another week, and another huge security flaw in a popular smartphone app. This time, it’s with TikTok, a video sharing app owned by Chinese company ByteDance.
By exploiting the flaw, cybersecurity firm Check Point Research found that it was possible to send users messages that appeared to come from TikTok. When a user clicked on a link in this message, a hacker could access videos uploaded by them, including private material.
The flaw is the latest in a long line of cybersecurity vulnerabilities found in popular smartphone apps. We’ve recently reported on the dangers of AI voice imitation and vulnerabilities that allow hackers to track your phone remotely.
For TikTok, the discovery of this flaw is extremely bad news: in the US, the company is under investigation by the Committee on Foreign Investment in the United States, who say the app could pose national security concerns for Americans and possibly be used to influence or monitor them.
Check Point Research found the security vulnerability back in November and informed TikTok, who says that they have since patched the problem.
Nevertheless, the details of the hack are worrying. Check Point found that they were not only able to send spoofed messages to TikTok users, but that they could redirect TikTok users to a phishing site that appeared identical to TikTok’s homepage.
This basic redirect could then be used in combination with cross-site scripting and other techniques to extract even more information from hacked users.
This type of threat is not new. Back in 2014, the UK’s Information Commissioner’s Office handed down a fine to a concert promoter of more than $110,000.
The concert promoter – as the result of a hack – ended up sending fake text messages to users that purported to come from their mothers. A few years later, Amnesty International showed that hackers can get around Gmail and Yahoo’s two-factor authentication safeguards by intercepting 2FA confirmation codes via SMS message.
Check Point Research took aim at TikTok for a number of good reasons. The app has millions of users, both in China and elsewhere, and so is a major target for hackers due to the amount of data that is exchanged over it. In addition, the rise of SaaS business models means that TikTok is designed to be platform independent. This makes it easy for hackers to escalate their attacks quickly, and gain access to a variety of systems.
For ByteDance, the owner of the app, this news could not come at a worse time. US lawmakers have long had concerns over the security of TikTok. Not only is the app insecure, they claim, but smartphones hacked via TikTok are a threat for other systems. There has even been speculation that the app has been made purposefully insecure, in order to allow the chinese government to collect data on its users. That’s why the app has been listed as a national security concern in the US.
There are also some lessons to be drawn for users of TikTok.
In writing up their findings, Check Point are keen to stress that the purpose of their research is not just to expose security concerns about TikTok. Rather, they point out that apps like this can be used as a way into users’ private lives.
Oded Vanunu, the lead researcher on Check Point’s report, went further:
“We see huge amounts of malicious activity on IM and social networks,” Vanunu said, “what we’re trying to make sure people understand is that the cyberspace is something that doesn’t just start and end on a sophisticated platform, but that if you’re in cyberspace, even for day to day activity, your data and privacy are at risk.”
For users, there are three main lessons to be drawn from the hack.
The first and most obvious is that everyone needs to be aware of the dangers of phishing, and particularly of messages that appear to come from service providers. Though phishing attacks sound quite retro in 2020, the truth is that they still represent the most frequent, and the most frequently successful, type of attack for consumers.
Second, the vulnerability points to the importance of segmentation. For everyday users, this means ensuring that your accounts are as distinct from each other as possible.
In particular, you should ensure that, when choosing a top web hosting service, your email isn’t connected as a means of logging in (the same goes for social media accounts).
Instead, you should use a strong, unique password for each, and avoid the temptation to use your social media accounts to log into other services, no matter how convenient this might be.
Third, and at the broadest level, the vulnerability exposes the difficulty of working out when the government is watching you. If, as some in the US have claimed, TikTok is being monitored by the Chinese government, it is certainly not the only app to be so.
The disclosure of this vulnerability is definitely bad news for TikTok, but it might be good news for TikTok users. The app is so popular among millennials that many did not stop to question who owns it before downloading it. The recent hack might bring home the importance – and ubiquity – of smartphone vulnerabilities, and might even convince some young TikTok users to consider a career in cybersecurity.
For US lawmakers, and especially those of protectionist views, the recent revelations back up a narrative they have been pushing for months now: that ByteDance should be banned from the US. Check Point has backed away from making wider claims about what the hack means for the security of TikTok more generally, but Vanunu has said that it was not difficult to draw certain conclusions based on what it did find. “You can link the dots on what could be the implications for geopolitical cyber warfare,” he said.