Millions Were TikTok Hak-ed

Millions of You Were TikTok Hak-ed

One of the most popular social media apps can be hacked with a text message. Chinese-owned TikTok is the third most downloaded app of. The viral media music video app is particularly popular with young people but it has enormous privacy problems and has been banned by the United States Navy.

TikTok Can Be Hacked by SMS

A report from cybersecurity researchers at Check Point has revealed that the Chinese-made and owned app continues a trend seen with other Chinese apps such as WhatsApp and has poor security. The app has many vulnerabilities that expose its users to fraud and identity theft. Linking these vulnerabilities including remote hacking via SMS text messages to execute malicious code and perform other unauthorized commands on a user’s smartphone without their knowledge or consent.

Recognizing the risk, the United States Navy has banned sailors from using the app. While your smartphone may contain less-sensitive data, your identity, your contacts and your videos and more are still at risk. MyProfyle recommends extreme caution to anyone who continues to use this and other Chinese-made apps.

Multiple Vulnerabilities Expose Wide Weaknesses

The researchers went on to point out that SMS link spoofing, open redirection and cross-site scripting (XSS) while concerning individually and be combined to allow a hacker to perform many actions on the user’s smartphone including deleting videos, uploading videos, exposing private videos to the public and revealing account information including the personal information of TikTok users and their contacts.

SMS Messages Appear Legitimate to Users

The starting point for all these hacks is SMS messages received by the user which appear to come directly from TikTok. In reality, the TikTok sender has been spoofed (it is not really TikTok) and contains a link which when clicked on, executes malicious JavaScript code on the user’s device. A domino effect executes the commands described above that allow the hacker to take over the user’s TikTok account.

The researchers noted that this type of attack could be prevented with anti-Cross Site request forgery steps but these are not present in the TikTok app as they are in other apps with better security. The real TikTok servers receive the hack requests from the user’s phone and execute the commands to upload or share videos on command just as if they were executing a legitimate request from the user. Since user data is stored in the TikTok cloud and not on the device itself, TikTok completing the hacker’s request.

What Can You Do?

TikTok is simply the latest app or hardware device which has demonstrated that it does not take security seriously. With 1 billion users in virtually every country and in 75 languages MyProfyle is shocked but not surprised to see that the investment in following standard security practices has not been met. Of course, TikTok users cannot improve the software but they can make sure they update the app immediately and refrain from clicking on any links in any TikTok message. Remember, the link could be spoofed to come from anyone – TikTok, another contact who has already been hacked or someone new.

MyProfyle reminds its users that exposure by hacks and data breaches like these will continue and there is no way to effectively protect yourself from them because even the companies that strive to protect us like TikTok provide inadequate security. Become a Free Basic MyProfyle member today and learn more about risk factors like these so that you can take the appropriate steps to protect yourself and approve of reject use of your identity.


Check Point Research

Did You Find This Post Interesting?

Join our email list to get the latest blog posts sent to you