TikTok closes leaks that allowed uploading video on victim’s account

Social medium TikTok has patched leaks that allowed an attacker to upload a video on a victim’s account, delete videos or make private videos public. Completely taking over an account was not possible.

Xss Source: Check Point Research

The attack was possible by using multiple exploits side by side, Check Point Research reports. Most importantly, it was possible in two ways to run arbitrary Javascript in the app using the cookies of a user clicking a link. This allowed an attacker to run Javascript while a user was logged in.

One is an xss leak on ads.tiktok.com, where the site failed to check the entries. The other leak was in not checking the URL behind a redirect, so that users could end up on an attacker’s webpage after logging in.

The attack was able to start via the SMS function on TikTok’s website, which allows users to send themselves a link to download the TikTok app. It turned out to be easy for an attacker to change the download link to send any URL. As long as the url starts according to a certain format, a mobile operating system will open it in the TikTok app. The text seems to come from TikTok.

Then it turned out to be possible to run Javascript via xss or the redirect trick. With that Javascript it turned out to be possible to ask the server to add, remove or change a video. Taking over the account is not possible via the trick. TikTok closed the leaks last month. There appears to have been no widespread abuse of the leaks.

Your browser does not support the video tag.