TikTok Archives – Gridinsoft Blog Welcome to the Gridinsoft Blog, where we share posts about security solutions to keep you, your family and business safe. Tue, 17 Sep 2024 17:00:15 +0000 en-US hourly 1 https://wordpress.org/?v=85582 200474804 TikTok Shopping Scams On The Rise: Tips to Avoid https://gridinsoft.com/blogs/tiktok-shopping-scams/ https://gridinsoft.com/blogs/tiktok-shopping-scams/#respond Tue, 23 Jan 2024 16:05:33 +0000 https://gridinsoft.com/blogs/?p=19186 TikTok shopping scams is a new attack vector on online shoppers. Immense popularity of the Chinese social network led to addition of shopping functionality to the application. This, however, attracted fraudulent actors who aim at parasitizing on peoples’ unawareness about potential scams. In this article, I am going to explain how these scams work, and… Continue reading TikTok Shopping Scams On The Rise: Tips to Avoid

The post TikTok Shopping Scams On The Rise: Tips to Avoid appeared first on Gridinsoft Blog.

]]>
TikTok shopping scams is a new attack vector on online shoppers. Immense popularity of the Chinese social network led to addition of shopping functionality to the application. This, however, attracted fraudulent actors who aim at parasitizing on peoples’ unawareness about potential scams. In this article, I am going to explain how these scams work, and how you can detect them before it is too late.

The Rise of TikTok as a Shopping Hub

TikTok, known for its engaging content and for starting the trend of reel videos, has now got shopping functionality, attracting businesses to connect their stores with it. Thus, a staggering 48% of TikTok users have reportedly made app purchases, as The Better Business Bureau noted. This surge in e-commerce activity brings the peril of scams, where false advertisements and deceitful practices threaten to exploit the unwary shopper. Especially when the target audience is teenagers and youngsters who have no idea what scams are on the internet.

Understanding Scams on TikTok

We’ve looked at Instagram scams before; things are less widespread there, but TikTok is also trying to catch up. To know what to avoid, you need to understand how it works. Now we will look at the most common TikTok shopping scams:

Fake Products and Sellers

Since the beginning, the TikTok marketplace was conceived as a place where sellers could sell their goods at discounted prices, which was profitable. The problem is that the goods being promoted are not always genuine. In addition, there have been cases where the seller disappeared from TikTok after the item was purchased. Some scammers try to pass themselves off as genuine businesses. However, the main indication that it is a scam is that the product is sold at an over low price. Buying a product known to be fake is a waste of money.

TikTok ad fake ad screenshot
TikTok ad promoting knock-off massage guns

This actually repeats the most widespread type of scams from other social media. Scams on Facebook or YouTube base on promoting a page with incredible discounts. Though, some specific features of TikTok allow for other directions of frauds.

Malicious Links in Bio

Scammers often place harmful links in their TikTok bio descriptions. They claim to offer free rewards, content downloads, coupon codes, etc. Usually, these links lead to Telegram channels that have nothing to do with what was promised. But sometimes, these links can cause installing malware, stealing login credentials, or just redirecting to harmful sites.

Link in bio TikTok
The account contains a tempting video that asks you to click on a link in the bio

Money-Making Promises

A related scam is often promoted alongside shopping scams. Crooks make false promises of money or expensive prizes in exchange for a small upfront payment or personal information. In reality, they are just trying to trick you. Frauds use enticing offers of fast cash to trap you into giving away your personal and financial information or paying for fraudulent products. This includes Ponzi schemes, fraudulent apps, and other tactics used to lure you in.

A deceptive TikTok ad promoting one of the iMoney applications screenshot
A deceptive TikTok ad promoting one of the iMoney applications

Youth at Risk

TikTok draws marketers for its unique ability to connect with younger people. However, beneath the fascinating content, there’s an underbelly. This is especially alarming because young people are not highly aware of TikTok shopping scams and are easily influenced by bad influences.

According to the same study, the most significant users who have purchased on the platform are between 10 and 19 years old. Overall, users between 10 and 29 comprise over 50% of the platform’s user base. Although TikTok vets its sellers and removes products that violate the platform’s Terms of Service, that doesn’t stop scammers. If a user violates these policies, their account may be temporarily disabled or even permanently deleted. But it’s easy for crooks to create a new account.

Recommendations for Users

Unfortunately, with any new service, there is a possibility of fraud. This is especially true for online shopping, as verifying a seller’s identity or background can be difficult. Consumers should vigilantly follow online shopping safety tips when using TikTok Shop. The following tips can help you save time and finances:

  • Research the seller before you buy. It is essential to research the seller and their website before making a purchase. Prioritize purchasing from verified sellers, identifiable by a blue tick mark on their pages. If you see a product on TikTok doesn’t guarantee its authenticity or the seller’s trustworthiness.
  • Read comments and reviews. Checking comments and reviews from other users is an effective way to assess new sellers. Additionally, you can utilize TikTok’s search bar to find videos uploaded by previous customers showcasing the products they bought. This will help you better understand the quality of the products being offered.
  • Explore the return policy. You should watch out if the contact information is shady or unclear. According to TikTok Shop’s return policy, customers can request a return or refund within 30 days of receiving their package.
  • Pay attention to the URL. Always inspect the URL of retailer websites. Most retail websites have simple URLs like louisvuitton.com or cultbeauty.co.uk. However, if you see extra characters in the URL and additional words such as “super discounts,” “deals,” or “offers,” it’s probably a scam. This is especially true for online stores with “.shop,” “.site,” “.fun,” and “.top” domains.

Remember, Tiktok never asks for a password or any other confidential information. Any messages or emails sent with such requests are fraudulent. The easiest and most effective way to remove a fraudulent store is to send a report. If you notice suspicious activity, you can report it via a special form.

The post TikTok Shopping Scams On The Rise: Tips to Avoid appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/tiktok-shopping-scams/feed/ 0 19186
TikTok Flooded By Elon Musk Cryptocurrency Giveaway Scams https://gridinsoft.com/blogs/tiktok-elon-musk-cryptocurrency-giveaway-scams/ https://gridinsoft.com/blogs/tiktok-elon-musk-cryptocurrency-giveaway-scams/#respond Tue, 19 Sep 2023 07:50:52 +0000 https://gridinsoft.com/blogs/?p=16982 Recently, TikTok has been inundated with a flood of cryptocurrency giveaway scam videos spread across the platform. Mostly, these scams are masquerading as topics related to Elon Musk, Tesla, or SpaceX. The potential for quick and easy cryptocurrency makes these a constant and disturbing threat. TikTok flooded by “Elon Musk cryptocurrency giveaway” scams. Today, the… Continue reading TikTok Flooded By Elon Musk Cryptocurrency Giveaway Scams

The post TikTok Flooded By Elon Musk Cryptocurrency Giveaway Scams appeared first on Gridinsoft Blog.

]]>
Recently, TikTok has been inundated with a flood of cryptocurrency giveaway scam videos spread across the platform. Mostly, these scams are masquerading as topics related to Elon Musk, Tesla, or SpaceX. The potential for quick and easy cryptocurrency makes these a constant and disturbing threat.

TikTok flooded by “Elon Musk cryptocurrency giveaway” scams.

Today, the creativity of scammers trying to take advantage of TikTok’s massive user base is quite obvious. TikTok is facing a severe problem with the proliferation of numerous fraudulent cryptocurrency giveaway scams on the platform. Scammers are going all out for their profits. They create hundreds of websites posing as crypto exchanges or free giveaway sites. According to them, the only thing a user has to do to get free cryptocurrency is to register on their site and enter the promo code from the video.

And, of course, the slight nuance that the video is silent about is to pay a small amount for account activation, which will allow the user to withdraw funds. However, the reality is grim: paying the user out is absent in such a scenario. These scams are elaborate traps that steal users’ funds, leaving them empty-handed. Besides, there’s always the chance of being double-crossed. Although this scheme is quite old, it is still very effective — as the saying goes, old but gold.

The Elon Musk impersonation

Attackers learned long ago that promoting mass fraud on behalf of famous personalities is much more effective. Regarding media personalities, the first person who is associated with cryptocurrency giveaway scams is Elon Musk. Moreover, his bizarre behavior and habit of talking nonsense in public and promoting questionable things adds credibility to any scam that mentions the name of Ilon Musk. So, the scammers publish a fake video in which Fox News or others interview Elon Musk and promote a phony cryptocurrency giveaway.

TikTok crypto scam video screenshot
TikTok crypto scam video

The strategy means impersonating Elon Musk and his subsidiaries, Tesla and SpaceX. They are designed to make people think they are participating in a genuine promotion. Thus, some videos contain instructions on how to log into the listed website and enter a promo code to get free bitcoins. Many websites have very similar names like Moonexio[.]com, altgetxio[.]com, and cratopex[.]com or, as in our case, bitoxies[.]com.

How cryptocurrency giveaway scams works?

It starts with a TikTok video the user can find using the hashtag #bitcoinforbeginners. We see many identical videos as if they were copied. The only thing that makes them different is the promo code, which differs for each. We open a random video, see a fragment from the interview mentioned above on the cover, and then follow instructions on registering on the site.

Screenshots with steps from registering on the site to receiving a bonus by promo code
Steps from registering on the site to receiving a bonus by promo code

We open the site, register, and enter the code – voila! We have bonuses on our account. We try to withdraw them and see an error that says that to operate, and you must complete the account setup and activate it. For that, the service asks to deposit an amount equivalent to 0.005 BTC.

Withdrawal error
The website asks to deposit 0.005 BTC for account activation and withdrawal options

Obviously, after replenishing the account, you still cannot withdraw funds. The essence of this scam is to lure victims out of their funds in this way. In addition, the site asks for KYC information, with the help of which attackers will try to hack into our other legitimate accounts. This in total pushes the risks much beyond money losses.

It is also important to note that the mentioned websites may change their names, but retain the overall message. There is an entire pandemic of such sites going on – with absolutely the same design and promises, but different names.

Crypto scam main page screenshots
“My name is Legion”

How to avoid crypto scams?

The first thing this fraudulent scheme is based on is the unawareness of users. The second is greed and the desire to make a profit for nothing. We can help with the first, but the second comes with experience. It is essential to learn that you must pay for everything in life, and no one will give you anything for free. Besides, it would help if you did not get your investing advice from TikTok. Elon Musk’s crypto giveaways are like his promises to improve Twitter: they’re fake. Cryptocurrency is not something you can invest in just out of interest. Before investing, you should study this field well and understand it completely. Otherwise, losses are inevitable. In addition, we recommend that you only use official platforms and apps. The following red flags will help you identify scams:

  • The ad promises free cryptocurrency for performing simple actions such as subscribing to an account, watching a video, or commenting on a post.
  • The ad contains errors or typos.
  • The ad looks informal or unprofessional.
  • The ad requires entering your personal or cryptocurrency wallet information.

If you see a post or comment that fits one or more of these traits, it’s best to ignore it.

TikTok Flooded By Elon Musk Cryptocurrency Giveaway Scams

The post TikTok Flooded By Elon Musk Cryptocurrency Giveaway Scams appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/tiktok-elon-musk-cryptocurrency-giveaway-scams/feed/ 0 16982
TikTok Invisible Challenge Is Used to Spread Malware https://gridinsoft.com/blogs/tiktok-invisible-challenge-is-used-to-spread-malware/ https://gridinsoft.com/blogs/tiktok-invisible-challenge-is-used-to-spread-malware/#respond Thu, 01 Dec 2022 12:46:08 +0000 https://gridinsoft.com/blogs/?p=12320 TikTok Invisible Challenge became yet another host for threat actors. Crooks found a way to spread the WASP information stealer as a specific utility to revert the in-app filter. Users who ate the bait are risking their account credentials and banking information. What is the TikTok Invisible Challenge? Same as Instagram back in the previous… Continue reading TikTok Invisible Challenge Is Used to Spread Malware

The post TikTok Invisible Challenge Is Used to Spread Malware appeared first on Gridinsoft Blog.

]]>
TikTok Invisible Challenge became yet another host for threat actors. Crooks found a way to spread the WASP information stealer as a specific utility to revert the in-app filter. Users who ate the bait are risking their account credentials and banking information.

What is the TikTok Invisible Challenge?

Same as Instagram back in the previous decade, TikTok gives birth to numerous challenges. Invisible Challenge is just another example that touched tens of countries across the globe. It offers people to record a video using a new filter that removes the human body from the record, leaving only a transparent silhouette and clothes that were on the person. Such AI-based filters are not a new thing, but this challenge seemingly aims at propagating their usage. Not a bad practice on paper, but that created an unexpected problem.

TikTok Invisible Challenge example
The example of an Invisible filter’s work

Some users, particularly females, decided to undress on camera having this filter enabled. As the filter remains active, that’s no risk of revealing your naked body. But a certain number of viewers started thinking of reverting the filter effect to see the original – with no clothes and no filter. Despite the fact that it is not real unless you have access to the device that recorded this video, some cunning fellas offered a way to “unfilter” the video. And here is where the problems have started.

TikTok Invisible Challenge spreads malware

Most of the time, the handymen who offer to unfilter the video will share the link to a Discord server. This place is full of videos that look like the outcome of the filter removal utility. Hence, the unsuspecting user will likely believe that the ability to remove the filter is real. As I have mentioned before, it is possible only when you have access to the source video, which is present only on the author’s device. TikTok servers contain only the edited version of this video, where it is impossible to tear off the filter.

Therefore, we already figured out that the “Unfilter” utility is not real. If so, what goes under the guise of this tool? Numerous victims that followed the instructions from discord[.]gg/unfilter got WASP stealer on their device. This malware aims at credentials, cryptowallets information, banking data, and the like. The exact application was posted on GitHub, which for some reason is considered a reliable source with no chance to get malware. A bot in Discord additionally asked the channel participants to give a star (i.e. upvote) to the repository of a pseudo-utility. By the number of those stars – over 100 – we can estimate the number of victims. The exact Discord channel had over 700 followers and now is defunct.

Defunct Discord server
Crooks moved “Unfilter” server before Discord blocked it

Is WASP stealer dangerous?

Safe malware does not exist; it is an oxymoron. Stealers are not an exclusion, as they aim to steal a lot of users’ credentials, including financial ones. Most often, crooks pack the data they got into large databases and sell them on the Darknet. At that point, anyone can purchase it, and use it for their purposes. And as you can guess, Darknet is not a place that is famous for benevolent users. You can surely say goodbye to your savings in both crypto and bank accounts, as well as your accounts on social networks. That will not happen instantly, but this event is unavoidable if countermeasures are not taken.

If you suspect the infection with stealer malware, do the following steps:

  • 1. Scan your computer with anti-malware software. It should be your first-and-foremost step since active malware can make all of the following actions useless. Stealers are not very easy to detect, hence you need an advanced solution that has both complex scanning systems and often updates. GridinSoft Anti-Malware fits both of these criteria.

TikTok Invisible Challenge Is Used to Spread Malware

  • 2. Change all the passwords. Malware grabbed your current credentials, so it is quite obvious that changing your login information is vital to make its job useless. The sooner you do it, the fewer time hackers have to use your accounts and money.
  • 3. Notify your friends and family about the threat. TikTok is a very popular social network, thus not only you but someone you know may also be at risk. The more people will be aware that Invisible Challenge filter reversion is not real – the fewer profit hackers will have.

However, stealers, as well as any other malware, is better to prevent before they will make their way to your device. Avoid any questionable things, especially when they contradict the very basis of how things work. Be also very skeptical about any software from unknown publishers you find online. Preventing the threat is always way easier, than dealing with its consequences.

The post TikTok Invisible Challenge Is Used to Spread Malware appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/tiktok-invisible-challenge-is-used-to-spread-malware/feed/ 0 12320
TikTok Scams Stealing Money And Data. Beware! https://gridinsoft.com/blogs/most-common-tiktok-scams/ https://gridinsoft.com/blogs/most-common-tiktok-scams/#comments Fri, 30 Sep 2022 16:57:32 +0000 https://gridinsoft.com/blogs/?p=10813 TikTok has become a popular social network with over a billion registered users. According to statistics, each user spends about 95 minutes daily on this platform. Such an extensive social network is also susceptible to many different scams. Scammers found ways here to hurt users and lure them into their traps. Who is being targeted… Continue reading TikTok Scams Stealing Money And Data. Beware!

The post TikTok Scams Stealing Money And Data. Beware! appeared first on Gridinsoft Blog.

]]>
TikTok has become a popular social network with over a billion registered users. According to statistics, each user spends about 95 minutes daily on this platform. Such an extensive social network is also susceptible to many different scams. Scammers found ways here to hurt users and lure them into their traps.

Who is being targeted by TikTok scams?

TikTok was founded in 2017, but scammers started using the platform shortly after its release. Many TikTok scammers create false accounts to cheat money, distribute malware on your device, or acquire confidential data for sale on the darknet. Some of their biggest target audiences are children under 14 years old. Privacy concerns are why parents believe social media is unsafe for kids.

Most common TikTok scams

TikTok is susceptible to many different types of fraudulent actions. These scams can be seen by the platform’s users, ranging from making easy money to false accounts offering true romance. Some scammers even claim to be famous or influential people. By knowing the methods of these scammers, you can avoid their devious techniques. Some of the most common TikTok scams are outlined below.

Scammers aimed to TikTok profiles

1. Easy money offers and fake giveaways

Criminals will often use the promise of easy money to lure victims into scamming schemes. These crooks will claim that large financial rewards are available for minimal effort on the victim’s part. Scammers may also claim that a famous person will randomly select someone to give away a large sum of money if they follow the scam’s instructions. Any offer that’s too good to be true is probably a scam. Confusing deals and agreements are standard among social media accounts. These agreements may contain scams that promise a lot of money or gift cards in exchange for liking, following, or sharing information. Although these scams are common on social media platforms, most of them are banned.

2. Duplicated celebrity and influencer accounts

Impersonators frequently copy the social media accounts of celebrities and influencers. Then, they use this content to increase their number of followers. They might even claim to give donations to charity, which is one of the scams they use to convince users. Additionally, they might try to convince users to invest in cryptocurrency – of course, by using the affiliate link that this celebrity offers.

If you see a suspicious celebrity account, look for red flags. This could be poor spelling, the account sending you a private message or an offer that seems too good to be true. If these accounts are fake, you won’t find any mention of them on the celebrity’s official website.

Official profile of Billie Eilish
Verified profile of a celebrity

3. Bot accounts

TikTok, like other social networks, became the platform where bots numbers are galloping. The purpose of these bots is to distribute as much false information as possible and to send links to phishing sites through which they can get user data. Part of this information contains malicious content, which may be bad for users’ PCs and other devices.

4. Phishing (the most common cyberattack)

Phishing is an easy way to handle confidential user data. They look completely harmless and casual at first sight. Phishing messages or comments convince users to click on a particular link or attachment. Generally, these are suggestions for increasing the number of subscribers or getting a verification badge.

Once a user opens such an attachment or link, they risk infecting their PC with malware. To steal an account, scammers can send a link to a server that will steal the authentication token. Another event option is to receive a request to enter your data to enter your account. If the user does not use two-factor authentication, hackers are even more likely to gain access to the victim’s sensitive data.

Scammers try to cheat at Tik Tok User
Scammers try to convince user to give them personal information

5. Promoted scam apps

TikTok has profiles that advertise and promote rogue apps. This is done to infect the user’s device with malicious content or to distribute spam. In addition, malicious applications can request payment for the installation. Therefore, it is best to read the reviews about these apps and check the ratings. If all this has a questionable response from other users, it is better to refrain from it.

6. Bogus products and services

Ever since the TikTok marketplace launched, users can sell their products. But there is one thing, the goods often do not correspond to the picture in advertising. Moreover, the seller can pay but not provide the goods. So be careful what you want to buy on social networks – all, exactly, not only TikTok. Also, check whether the TikTok profile is marked with a blue tick and whether it is verified.

Tips to stay safe on TikTok

TikTok is a platform where users can post their short videos, dial views, advertise their products, and other things. However the fraudster decided to use such platforms differently. The above points make us understand that you need to be more careful on the Internet. So, here is a list of the most necessary measures to be taken to avoid becoming another victim of scammers.

  1. Do not let all users send you emails. This way, you will protect yourself from phishing emails, unwanted ads, and other redundant information.
  2. Do not click on unfamiliar links and attachments. Such attachments may carry malicious content. They may also request your confidential information and then sell it to third parties or use it for other malicious acts.
  3. Use two-factor authentication. This will reduce the chances of hackers successfully hacking your accounts because 2FA requires a double check on who logs in.
  4. Use reliable protection from GridinSoft-AntiMalware, which will protect you from spyware, adware, trojans, and malware. Thus, if the fraudster can convince you to click on malicious links or anything else, GridinSoft-AntiMalware will prevent it from getting on your device.

TikTok Scams Stealing Money And Data. Beware!

The post TikTok Scams Stealing Money And Data. Beware! appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/most-common-tiktok-scams/feed/ 1 10813
Attackers can bypass TikTok multi-factor authentication through the site https://gridinsoft.com/blogs/attackers-can-bypass-tiktok-multi-factor-authentication-through-the-site/ https://gridinsoft.com/blogs/attackers-can-bypass-tiktok-multi-factor-authentication-through-the-site/#respond Mon, 28 Sep 2020 16:11:09 +0000 https://blog.gridinsoft.com/?p=4337 Journalists of the ZDNet publication, citing one of their readers, report that the web version of TikTok did not receive multi-factor authentication (via mail and SMS), which developers established for all users of the platform in August. Thus, an attacker who somehow learned someone else’s credentials (for example, through a phishing attack or brute force)… Continue reading Attackers can bypass TikTok multi-factor authentication through the site

The post Attackers can bypass TikTok multi-factor authentication through the site appeared first on Gridinsoft Blog.

]]>
Journalists of the ZDNet publication, citing one of their readers, report that the web version of TikTok did not receive multi-factor authentication (via mail and SMS), which developers established for all users of the platform in August.

Thus, an attacker who somehow learned someone else’s credentials (for example, through a phishing attack or brute force) can log into the TikTok account through the site.

“This lapse in TikTok’s MFA implementation opens the door for scenarios where a malicious threat actor could bypass MFA by logging into an account with compromised credentials via its website, rather than the mobile app.”, — writes ZDNet journalists.

Fortunately, through the web version, hackers cannot change the user’s password and completely take over someone else’s account. Basically, all an attacker can do is upload and publish a new video, for example, to ruin an account’s reputation or advertise a fraudulent product on behalf of a popular user. The publication also notes that hacked accounts can be used to spread disinformation, propaganda, and so on.

Journalists note that the TikTok mobile app does not notify the user in any way about active sessions in the web version. This essentially means that TikTok doesn’t warn users at all if someone has used their credentials and logged into the account through a browser.

“It’s a well-known fact that Facebook and other companies have abused 2-factor SMS signups, and a clear indicator that TikTok has done something similar is the reality that the TikTok 2-factor is an illusion, and totally optional when using the website login features”, — told ZDNet security researcher Zach Edwards.

TikTok developers have already promised to fix the problem and extend multi-factor authentication to the site too, but they have not named any specific time frame yet.

“In the meantime, users who have enabled MFA for their TikTok account for security reasons should not be lowering their guard and reuse passwords from other accounts, thinking MFA blocks all attackers. These users should continue to use complex and hard-to-guess passwords”, — advised in TikTok company.

ZDNet notes that the login page is protected by a CAPTCHA, which means users can hardly expect a wave of automated attacks and massive compromises of TikTok accounts.

Let me remind you that earlier this year, researchers managed to hack TikTok using SMS.

The post Attackers can bypass TikTok multi-factor authentication through the site appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/attackers-can-bypass-tiktok-multi-factor-authentication-through-the-site/feed/ 0 4337
Vulnerability in Indian TikTok clone allows hacking user profiles https://gridinsoft.com/blogs/vulnerability-in-indian-tiktok-clone-allows-hacking-user-profiles/ https://gridinsoft.com/blogs/vulnerability-in-indian-tiktok-clone-allows-hacking-user-profiles/#respond Tue, 02 Jun 2020 16:46:00 +0000 https://blog.gridinsoft.com/?p=3865 The Hacker News reports that Indian security specialist Rahul Kankral discovered a critical vulnerability in the Mitron Android application, which is a TikTok clone. The vulnerability allows you to capture other people’s accounts without any user interaction. More recently, the Mitron app hit the headlines with over 5 million installations and over 250,000 five-star ratings… Continue reading Vulnerability in Indian TikTok clone allows hacking user profiles

The post Vulnerability in Indian TikTok clone allows hacking user profiles appeared first on Gridinsoft Blog.

]]>
The Hacker News reports that Indian security specialist Rahul Kankral discovered a critical vulnerability in the Mitron Android application, which is a TikTok clone. The vulnerability allows you to capture other people’s accounts without any user interaction.

More recently, the Mitron app hit the headlines with over 5 million installations and over 250,000 five-star ratings in just 48 days after being released on the Google Play Store.

Interestingly, although Mitron is positioned as an Indian application, it was not developed in India.

“The application was not developed at all from scratch, instead, someone bought a ready-made solution and simply renamed it. In fact, Mitron is a repackaged version of the TicTic app, created by a Pakistani development company, Qboxus, which sells ready-to-use clones of TikTok, musical.ly, Dubsmash and other similar services”, – noted The Hacker News reporters.

Who exactly is standing behind Mitron is still unclear, but many assume that the application belongs to a former student of the Indian Institute of Technology.

Although Mitron is not a product of any large company and was not created in India, the application quickly gained popularity in the country, not least thanks to the initiative of the Prime Minister Narendra Modi, aimed at making India more independent. This generated a wave of calls to boycott Chinese services and products, and hashtags such as #tiktokban and #IndiansAgainstTikTok have become trending.

As a result, the fact that TikTok is a Chinese application and rumors that it may misuse user data and trace users, unfortunately, have pushed millions of people to switch to a much more dangerous alternative.

“Mitron contains a critical and extremely easy to use vulnerability that allows bypassing authentication for any user account in a few seconds. The root of the problem is how the Login with Google function is implemented in the application, which, during login, asks users for permission to access their Google profile data, but does not use this information and does not create secret authentication tokens”, – say The Hacker News magazine.

In essence, because of the vulnerability, it is possible to log into any Mitron user account simply knowing its unique ID (without entering a password), which is classified as public information and it will not be difficult to recognize it. This is what the researcher demonstrates in the video below.

Representatives of Qboxus, who actually created TicTic (and therefore Mitron), told the media that the company only sells source codes that customers must configure themselves. The company also noted that they are very worried by the fact that the application is positioned as Indian (which is not true) and distributed without any changes in the code.

It is still not clear whether the developers are going to fix the vulnerability in their code and notify other buyers about the problem. The fact is that more than 250 other developers have already purchased TicTic code, and these clones can also be affected by the same vulnerability.

The researcher that discovered the problem in Mitron tried to report the bug to the application owner, but it turned out that the email address specified in the Google Play Store does not work. There are no other ways to contact the clone buyer, and the web server home page (shopkiller.in), which hosts the application infrastructure, is empty.

The expert urges all Mitron users to urgently remove the application and revoke permission to access the Google profile.

However, the original Chinese TikTok is not perfectly safe – I have already told you that the researchers managed to hack TikTok using SMS.

The post Vulnerability in Indian TikTok clone allows hacking user profiles appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/vulnerability-in-indian-tiktok-clone-allows-hacking-user-profiles/feed/ 0 3865
Researchers hacked TikTok app via SMS https://gridinsoft.com/blogs/researchers-hacked-tiktok-app-via-sms/ https://gridinsoft.com/blogs/researchers-hacked-tiktok-app-via-sms/#respond Thu, 09 Jan 2020 18:36:46 +0000 https://blog.gridinsoft.com/?p=3338 Check Point experts found many issues in one of the world’s most popular applications, TikTok. Recently researchers hacked TikTok app using sms. TikTok is available in more than 150 markets, is used in 75 languages worldwide and has more than 1 billion users. In October 2019, TikTok was called one of the most downloaded applications… Continue reading Researchers hacked TikTok app via SMS

The post Researchers hacked TikTok app via SMS appeared first on Gridinsoft Blog.

]]>
Check Point experts found many issues in one of the world’s most popular applications, TikTok. Recently researchers hacked TikTok app using sms.

TikTok is available in more than 150 markets, is used in 75 languages worldwide and has more than 1 billion users. In October 2019, TikTok was called one of the most downloaded applications in the world.

Teenagers and children mainly use the application to create short music videos.

“In the last few months we have seen evidence of the potential risks embedded within the TikTok application, and this has been acknowledged as well by others in the industry. According to USA Today, the US Navy banned the use of the application for its personnel, while in an article by The Guardian, Senior Democrat Chuck Schumer says that the “TikTok app poses potential national security risk”. In addition, the New York Times has published that TikTok is under national security review. Most recently, CNet.com reported that the US Army banned TikTok from use on government phones, reversing its policy on the entertainment app, which it recently used as a recruiting tool”, — write Check Point specialists.

So, knowing the victim’s phone number, attackers could manipulate other people’s accounts and gain access to personal data. In fact, combining several vulnerabilities allowed remote execution of malicious code and undesirable actions on behalf of the victims and without their consent.

Separately, all detected vulnerabilities had a low level of danger and were associated with spoofing links in SMS messages, open redirects, and XSS.

However, in combination, these bugs allowed the remote attacker to perform the following actions:

  • Remove any videos from the victim’s profile;
  • Upload unauthorized videos to your victims profile;
  • Make private “hidden” videos public;
  • Disclose personal information stored in the account, including addresses and email’s.

To perform an attack, specialists used the unsafe SMS-sending system that TikTok offers on its website: users could send a message to their phone number and get a link to download the application.

“As it turned out, the attacker could send an SMS message on behalf of TikTok to any number by placing in this message a special URL leading to a malicious page designed to execute code on a device with the TikTok application already installed”, – say in Check Point.

In combination with problems of open redirects and cross-site scripting, the attack allowed executing JavaScript code on behalf of the victim, immediately after users clicked on the link received via SMS.

A video demonstration of the attack can be seen below.

Check Point notified ByteDance, the developer of TikTok, about these vulnerabilities at the end of November 2019, and a month later the developers released patches, fixing all the problems found.

Only recently was reported told that the ToTok Arab messenger turned out to be a project of the UAE special services for total surveillance of its citizens and beyond. What kind of “tok” curse is this? Say suspicious to any application with the word “Tok” in its name.

The post Researchers hacked TikTok app via SMS appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/researchers-hacked-tiktok-app-via-sms/feed/ 0 3338