Head of Products Vulnerability Research. leading white-hat hacker groups to identify low-high risk vulnerabilities in Check Point products and researching cutting edge technologies for bypass techniques. With more than 20 years of InfoSec experience, Vanunu leads a products vulnerability Research team that focuses on offensive security attack surfaces research and publishes the tools, techniques, and vulnerabilities that infect global users using platform such as WhatsApp, TikTok, Amazon Alexa, Fortnite, Facebook, EA games and more on global research events such as BlackHat & RSA.
Inside TikTok – Chaining up multiple web vulnerabilities for taking control | Medzinárodný kongres ITAPA 2020Available in over 150 markets, used in 75 languages globally, and with over 1 billion users, TikTok has definitely cracked the code to the term “popularity” across the globe. As of October 2019, TikTok is one of the world’s most downloaded apps. The application is mainly used by teenagers and kids that are using this app to create short music clips, mostly lip-sync clips of 3 to 15 seconds, and short looping videos of 3 to 60 seconds. The application allows the youth to share, save and keep private (and sometimes very sensitive) videos of themselves and their loved ones. So far so good….BUT In the last year we have seen evidence of the potential risks embedded within the TikTok application, and this has been acknowledged as well by others in the industry. According to USA Today, the US Navy banned the use of the application for its personnel, while in an article by The Guardian, Senior Democrat Chuck Schumer says that the “TikTok app poses potential national security risk”. In addition, the New York Times has published that TikTok is under national security review. Most recently, CNet.com reported that the US Army banned TikTok from use on government phones, reversing its policy on the entertainment app, which it recently used as a recruiting tool…BUT no one ever shared why?? not using although it has more than 1BILLION users.
So we decided as part of our responsibility to go deep dive inside TikTok to understand why?? Everyone saying it’s risky and not elaborate and share it with the public.Following our research, we discovered multiple vulnerabilities within the TikTok application. Our goal in this session is first time share behind the scene stories and detailed of how chaining multiple vulnerabilities allows hackers to take full control over tiktok users!
The vulnerabilities described in this research allow attackers to do the following:
- Get a hold of TikTok accounts and manipulate their content
- Delete videos
- Upload unauthorized videos
- Make private “hidden” videos public
- Reveal personal information saved on the account such as private email addresses