This article was published on January 8, 2020

A TikTok bug let hackers take over your account just through a text


A TikTok bug let hackers take over your account just through a text

TikTok, one of the fastest-growing social networks in the world, closed a bug last December that let hackers take over anyone’s account by just sending a text.

The vulnerability, discovered by Israel-based security agency Checkpoint securities suggests all profiles on the platform were under threat.

A blog post by Checkpoint security researchers noted that by using the exploit bad actors could:

  • Get hold of TikTok accounts and manipulate their content
  • Delete videos
  • Upload unauthorized videos
  • Make private “hidden” videos public
  • Reveal personal information saved on the account such as private email addresses

Luke Deshotels from TikTok security team specified no user data has been compromised:

Following a review of customer support records, we can confirm that we have not seen any patterns that would indicate an attack or breach occurred.

Researchers said TikTok’s platform had multiple vulnerabilities such as SMS link spoofing, open redirection, and cross-site scripting (XSS) that could be combined to take over an account.

Using TikTok’s site, they could send users a message to download the app, but with a malicious link. Through manipulated javascript code attackers could control a user’s profile when they click on the link sent through SMS. 

The security firm found this vulnerability last November and it was patched by TikTok developers in December. While TikTok users are not under any threat, you should make sure you’re running the latest version of the app.

The app had more than 700 million daily active users as of last November.

Get the TNW newsletter

Get the most important tech news in your inbox each week.