ISSUE: TikTok Hijacking

By: William Sikkens
Host, User Friendly 2.0 Saturday’s at 5:00 p.m.

Not one but four security issues were found in the TikTok Android app.  These bugs would allow the hijacking of your TikTok account.  Vulnerabilities such as these could allow a malicious app to steal sensitive files from inside the application some of which include session tokens which track your user account.  (Read more below.)  For now it looks like Apple users of TikTok don’t need to worry about these bugs.

The malicious app could exploit the vulnerabilities to inject a dangerous file into the less than secure TikTok application.  Once the user opens the app, the dangerous file is triggered, letting the malicious app have access to send stolen session tokens to the attacker’s server silently in the background.

In addition the malicious app could also hijack the Android device TikTok is running on allowing access to camera, microphone, private data including your photos, contact lists, and videos.  Do you really want strangers looking at your personal photos or getting your loved one’s phone numbers?

These vulnerabilities are being reported by Oversecured which has published a complete list of the technical details of the bugs on its website.

TikTok made the following statement regarding the app issues.

“As part of our ongoing efforts to build the safest and most secure platform in the industry, we constantly work with third parties to find and fix bugs,” said TikTok spokesperson Hilary McQuaide. “While the bugs in question would only pose a risk if a user had also downloaded a malicious application onto their Android device, we have fixed them. We appreciate the researcher reporting this issue to us so that we could fix it, and we encourage all of our users to download the latest version of the app.”

The fix (according to TikTok):  Update your app.

DIG DEEPER:

When you log into an app you usually enter a username and password.  Some apps have added MFA (multi-factor authentication), which also requires a third level of security such as a fingerprint scan or text message.

As login security has become better, the bad guys are looking for other ways to get to your personal information.   Many apps use what’s called a session token to allow you to have access.  This is done so that your password does not need to be passed through the different screens within an application.

The session token expires when you log off or when you close the app.  This means the next time you log in a new session token is created.  The vulnerability in TikTok’s app is that this session token can be accessed while TikTok is in use.  If a user installs another app that contains the hijack or malicious app,  it will run alongside TikTok and copy the session token.  As soon as that is done, the malicious app will appear authenticated as your TikTok account and can access everything on your device just as TikTok can.

This does require the user to install another app which has been compromised.  These “compromised” apps are actually malware.  They are promoted to try and get as many people to install them as possible.   The applications are marketed as something useful.  Some examples include things like “free wallpaper” or “a messenger service”.   (There is a list of known malware apps below).  Once installed these malware apps compromise other parts of your device..

Digital Trends publishes a list of known malware apps.  Some of their list includes:

  • Advocate Wallpaper
  • Age Face
  • Altar Message
  • Antivirus Security – Security Scan
  • Beach Camera
  • Board picture editing
  • Certain Wallpaper
  • Climate SMS
  • Collate Face Scanner
  • Cute Camera
  • Dazzle Wallpaper
  • Declare Message
  • Display Camera
  • Great VPN
  • Humour Camera
  • Ignite Clean
  • Leaf Face Scanner
  • Mini Camera
  • Print Plant scan
  • Rapid Face Scanner
  • Reward Clean
  • Ruddy SMS
  • Soby Camera
  • Spark Wallpaper

To check what apps are installed on your Android device open “Play Store” and then select “Apps” -> “My Apps” for a list.  It’s a good idea to uninstall or deactivate apps that you don’t use.  Even if they are not a malware app, each install takes memory and device capacity.  Keeping this clean will keep your device running better.

William (Bill) Sikkens has been an on-air technology expert since 2014. With an expertise in I.T., cyber security and software design he has had more than 20 years’ experience with advanced technology. Sikkens conceptualizes and designs custom applications for many professional industries from health care to banking and has the ability to explain the details in a way all can understand.  Article edited by Gretchen Winkler, who along with Jeremy Winkler are the co-hosts of User Friendly 2.0 here on The Answer Saturday’s at 5:00 p.m.

Links and brand/store information provided are for information only and are not endorsed by Salem Media Group, KPAM or the shows hosts

Got a technology question or comment for Bill? Follow him on Twitter @sikkensw