How to Hack Any TikTok Account by Sending SMS

TikTok, the 3rd most downloaded app in 2019, is under intense scrutiny over users’ privacy, censoring politically debatable material as well as on national security grounds – though it is not over yet, as the protection of enormous amounts of TikTok users will be today under question.

The famous Chinese viral video sharing app contained potentially harmful vulnerabilities which could have allowed remote attackers to hijack some user account by understanding the mobile number of specific victims.

In a statement shared online, cybersecurity researchers at an online group revealed that chaining multiple vulnerabilities enabled them How to hack Tiktok remotely by running malicious code and also do undesirable actions on behalf of the victims without the consent of theirs.

The reported vulnerabilities include poor severity issues as SMS link cross-site scripting, open redirection, and spoofing (XSS) which when coupled would likely allow a remote attacker to do higher impact attacks, including:

delete some clips from victims’ TikTok profile,
upload unauthorized video clips to victims’ TikTok profile,
make private “hidden” videos public, disclose private info kept on the bank account, like individual messages and addresses.

The attack leverages an insecure SMS system which TikTok offers on its site to allow users send out a message to the telephone number of theirs with a link to obtain the video sharing application.

Based on the scientists, an assailant is able to send an SMS message to the contact number on behalf of TikTok with a customized download URL to some malicious web page made to perform code on a specific device with currently installed TikTok app.

When coupled with wide open redirection and also cross site scripting problems, the strike might enable hackers to perform JavaScript code on behalf of victims the moment they follow the link sent by TikTok server over SMS, as found in the video demonstration the group shared..

The method is often referred to as cross site request forgery attack, wherein attackers trick authenticated users into performing an undesirable action.

“With the absence of anti-Cross-Site request forgery mechanism, we recognized that we could possibly perform JavaScript code and perform actions on behalf of the victim, with no his/her consent,” the scientists said in a short article published today.

“Redirecting the user to a malicious site is going to execute JavaScript code and make requests to Tiktok with all the victims’ cookies.”

The group responsibly reported these vulnerabilities to ByteDance, the creator of TikTok, in late November 2019, who subsequently introduced a patched variant of its mobile app within monthly to defend its users from hackers.

When you’re not operating the most recent version of TikTok situated on official app stores for Ios and Android, you are encouraged to upgrade it quickly.