How to Prevent Hacks Like the TikTok Hack
Cybersecurity firm Check Point Research recently published a rather judgmental article on the TikTok vulnerabilities that gave hackers a great way to break into user accounts. Since then, TikTok has fixed the issues, so you’re safe, but the creative way to create these attacks offers a great learning opportunity. Even when messages seem to come directly from the service, you should always be on the lookout for why you are receiving the message .
This all makes a little more sense when we talk about the attack method, so let’s start with that. As Check Point Research reports in this video , attackers primarily used TikTok’s “write myself a link to download TikTok” feature — a convenient way to get an app that seemingly appears to be legitimate to send messages to users. After all, they came from TikTok; they looked like TikTok text and had the same “Download TikTok to start watching” message type that you see in the regular version of these text messages.
The attackers actually intercepted the original request for the message and changed the sent hyperlink, which allowed the attackers to perform a number of actions: add or remove video from the user account; changing the privacy of a user’s video; or obtaining information from a user account, such as an email address, date of birth, or billing information.
What can we learn from this? Simple: whenever you receive a message from someone – a person, a company, a service, or whatever – asking them to do something, stop and think about why you just got this message:
- Did you ask for something, and is the message a (fairly immediate) response to your request? You are probably fine.
- The message came out of nowhere? Be skeptical.
- A message popped up out of nowhere asking you to do something like download a file or click a link? Be even more skeptical and probably don’t.
- A message popped up out of nowhere asking you to confirm the details of your personal life or your account? Do not do this. Why would you do this?
It’s that simple, and the approaching links and files you send (or the apps that ask you to download) can save you the pain of having someone trying to get you to click or launch something malicious. Always keep in mind the context of what you are receiving and make the mistake of not interacting with links or files that you send unexpectedly.
Obviously, if a friend sends you a link to a funny website or a gif of a cat in an email, you might be a little less careful. But it never hurts to hover over the link to confirm that you’re going to go to a sane-looking URL or domain. Consider copying the link and pasting it into an incognito or private instance of your browser, just in case – if it’s full of unnecessary lines associated with an unknown domain, and not just the standard domain name you’re used to (and a file that ends in .GIF, for example), pause.
In the case of TikTok, you don’t even have to click or click on links to download the app; go and get it from your favorite app store. But as I said, you have to be super suspicious if you are asked to install an app or activate a service when you have not initiated the request. And this is doubly true if you already have TikTok installed, which should be an obvious sign that someone is trying to screw up you and your account.