TikTok vulnerability allowed hackers to send SMS with malware

How to hack the TikTok account with a malicious link in a text message? Well, it’s possible as researchers noticed.
TikTok vulnerability allowed hackers to send SMS with malware

The vulnerability has been patched.

Cited as a threat against even the giant looming figure of Facebook, Tiktok app has taken the world by storm. At the same time, it has also come under fire for being unproductive and a bad influence to a degree that recently US military had to ban TikTok over privacy concerns.

However, even more, is its association with the Chinese government inviting “spyware” allegations. While these may or may not be true, recently with the help of Checkpoint, the app was found to have several vulnerabilities that now have been fixed thankfully.

According to Checkpoint’s blog post, the research firm disclosed them to the platform’s parent company ByteDance who rolled out an update quickly to patch them.


Delving into these, the first one was in its SMS functionality. Tiktok’s website allows users to send themselves a text message with a link to download the app.

TikTok hacking vulnerability

While this is surely convenient, it could become the opposite if an attacker knows your phone number, a possibility not difficult to imagine with the amount of open-source intelligence available today

See: Names & Phone numbers of 267 million Facebook users exposed

Using that, the attacker could edit the download link URL parameter as shown in the image below and send a spoofed message containing a malicious link instead.

TikTok hacking vulnerability
Spoofed SMS with a link sent by the attacker (left) – Download_url parameter in the text (Image credit: Checkpoint)

Secondly, Tiktok has an ads subdomain that was found vulnerable to Cross-Site Scripting (XSS). This essentially translates to the fact that users could experience malicious scripts from a domain that they believe is trustworthy and hence end up getting compromised.

An example of this is found in the search functionality features of this specific subdomain. By entering harmful scripts in place of legitimate search results, the user could be manipulated to take actions such as deleting their own content or even posting sensitive content.

Furthermore, confidential data such as your payment information &  date of birth can also be obtained by such malware, the latter may seem innocuous but can be a crucial aid for long term social engineering.

See: Hacking Facebook Account by Simply Knowing Account Phone Number

Simply put, an attacker could perform the following malicious actions by exploiting TikTok vulnerabilities.

  • Get hold of TikTok accounts and manipulate their content 
  • Upload unauthorized videos
  • Delete videos
  • Make private “hidden” videos public
  • Reveal personal information saved on the account such as private email addresses

The takeaway from this is that no platform is vulnerability-proof. While this indeed does seem like common sense, the majority of us forget so when using these platforms and allow information to flow through them unfiltered. Hence, it is important that we keep any of our “online information” to a minimum.

If you regularly make payments online, start with removing that payment information once done. Such simple precautions can go a long way eventually towards your security.

Did you enjoy reading this article? Like our page on Facebook and follow us on Twitter.

Related Posts