TikTok Vulnerability Gives Hackers Control Over App Via Text Messages

TikTok, a popular Chinese video-sharing app, is full of security flaws, a recent cybersecurity report says. The vulnerabilities reportedly provide the crooks exploiting them full control of any targeted TikTok account. In short, they can read personal data, upload content, and delete multimedia by issuing commands in the form of text messages. Since the app comes from a Chinese company — ByteDance — U.S. authorities quickly flagged TikTok a threat to national security, banning it from U.S. app stores effective September 21, 2020.

The Nuts and Bolts

While researchers found ‘multiple’ flaws in TikTok, the one that raises the most concern is a security hole that allows cyber crooks to take advantage of TikTok’s installation process. To download TikTok, a prospective user would first have to go to TikTok’s website and send a download link to their device using the contact form provided on-site. There'd be nothing wrong with that process had it not been for the recently found holes. As it is, hackers may have found a way to send fake installation prompts containing a malicious redirect rather than a genuine download link. That’s possible thanks to another vulnerability in the app’s official website. That flaw allowed them to plant malicious code onto the website and send malware-filled text messages to potential victims. It was the malware link that let the crooks assume control of the TikTok account.

Patch Before Going Public

TikTok’s owners have already claimed to have patched all known vulnerabilities before public disclosure. Nevertheless, the U.S. government imposed a total ban on TikTok and WeChat nationwide on September 21. The move aimed to restrict China's access to American citizens' data for fear of unauthorized data collection. The fear raises even greater alarm because the Chinese government usually has complete access to any Chinese social media app user profiles, and TikTok makes no exception, either. The restraint arrived amid ongoing negotiations between ByteDance and President Trump's administration to solve TikTok’s security level concerns. Those talks seem to be doomed to failure rather than success for the time being, especially considering how the U.S. Committee on Foreign Investment (CFIUS) is currently investigating ByteDance’s acquisition of the U.S. Musical.ly social media app in 2017.