TikTok has become one of the most popular and used social media platforms. It is an application that allows users to share and watch videos, between fifteen seconds to three minutes, from people you follow (like celebrities, your friends and family members). Unfortunately, since it is a popular application, it has become an easy target for hackers. This article will talk about five common TikTok vulnerabilities and how to protect yourself against them.
TikTok Hacks and Vulnerabilities:
- Cross-Site Scripting (XSS)
- Phishing Emails
- Remote Keyloggers
- Zero-Day Vulnerabilities
- Weak Passwords
1. Cross-Site Scripting (XSS)
Cross-site scripting is a “vulnerability that allows unauthorized JavaScript code to be executed on a website” (). There are two types of XSS: reflected and stored. Reflected XSS is considered less harmful and “is a one-time attack where the payload sent in a reflected XSS attack is only valid on that one request” (). Whoever “clicks the link that contains the malicious script will be the only person directly affected by this attack”. Let’s take a look at an example of the XSS attack on TikTok.In 2020, Security researcher, Muhammed Taskiran, found a vulnerability related “to a URL parameter on the tiktok.com domain which was not properly sanitized” (). While he was fuzzing the platform, he found that “this issue could be exploited to achieve reflected cross-site scripting, potentially leading to the execution of malicious code in a user’s browser session”. So what does this mean for the TikTok user? Well, if attackers have successfully executed malicious code (i.e. scripts) into a user’s browser session, then the user’s session has been hijacked and the attacker can do whatever they want! They can redirect the user to malicious websites, record the user's online activity, or even download malicious files onto the user’s system and hack their device.
How to Protect Against XSS Attacks
To protect and prevent an XSS attack from occurring, you should use data sanitization across the tiktok.com domain to make sure that only appropriate variables are inserted.
2. Phishing Emails
Phishing emails are an easy way for hackers to hack TikTok accounts. The hacker can send fake emails to users making it seem like it is from TikTok. The content of the emails could state, for example, that your account has been compromised and requires your credentials to help get your account back. This is just one example of how a cybercriminal can manipulate you into entering your personal information.Back in 2019, there was a vulnerability that allowed hackers “to use a link in TikTok’s messaging system to send users messages that appeared to come from TikTok” (). If users clicked on the link, then hackers were able to access and gain control of all accounts. Hackers were able to do whatever they wanted with the account (post videos, see users’ private videos, and more).
How to Protect Against Phishing Attacks
Users should be educated and informed on the characteristics of phishing emails in order to be able to spot them. This is what you can do:
- Do not click on any links or open any attachments from suspicious emails
- Do not enter any personal information from a pop-up screen (note: legitimate companies would never ask for personal information this way)
- Pay close attention for misspellings in the email contents
3. Remote Keyloggers
Remote keyloggers mainly affect our mobile device or laptop because the cybercriminal needs to first access your device, then install a piece of software to record everything that you type on your keyboard. This means that if you log into any personal accounts (email, bank, Tiktok, and more), every key will be recorded. The hacker will have this information and be able to hack your account.
How to Protect Against Remote Keyloggers
- Do not use third party keyboard applications
- Do not open any attachments or click on links in email messages as the keylogger could be embedded in the attachment
- Install anti-spyware applications to help detect, disable, and quarantine software-based keyboard loggers
4. Zero-Day Vulnerability
Zero-day vulnerabilities are new security flaws that may be known to software vendors but no patch exists yet for the vulnerability to be fixed. As a result, this would allow hackers to exploit the vulnerability. If a hacker finds a vulnerability with TikTok (i.e. with the source code, or database), then hackers may be able to leak all of the users’ data.
How to Protect against Zero-Day Vulnerabilities
There is no way to completely avoid zero-day vulnerabilities, but you can do the following as extra security precautions to prevent hackers from getting into your TikTok account:
- Make sure you are using the latest version of TikTok
- Enable two-factor authentication
5. Weak Passwords
Hackers can easily hack TikTok accounts by guessing the password, especially if the password is easy and commonly used such as a nickname, phone number, partner’s name, pet name, just to name a few. Of course, the hacker could also perform a brute force attack for the user’s password if the password is a bit more difficult to guess.
How to Protect Against Weak Passwords
Users should select a strong password composed of numbers, symbols, space bar, and lower and uppercase letters. Take note that the password for your TikTok account is unique and not the same password used for other email or social media accounts. This would reduce the risk of your account being compromised. You may also use this website, , to verify that your account is safe and whether or not your credentials have been leaked to the public.
Final Thoughts on TikTok Hacks and How to Prevent Them
These were just five common vulnerabilities that may allow attackers to hack TikTok accounts and how to protect against each one of them. I am sure that there are many other techniques that exist, but these are just a few that I found to be important. Hackers are always one step ahead in finding new techniques where prevention might not be possible at first. Therefore, you should make sure that you do everything you can to ensure that your account is secure.