Cybersecurity firm Check Point Research recently came out with a pretty damning article about TikTok vulnerabilities that gave hackers a great way to infiltrate users’ accounts. TikTok has since patched the issues, so you’re safe, but the creative way that these attacks were generated offers a great learning opportunity. Even when messages appear to be coming directly from a service, you always have to be on your guard and consider why you’re receiving that message then.
This will all make a bit more sense once we talk about the attack method, so let’s begin there. As Check Point Research details in this video, attackers were basically using TikTok’s “text yourself a link to download TikTok” feature—a convenient way to get an app, at first glance—to send messages to users that appeared legitimate at first glance. They came from TikTok, after all; they looked like a TikTok text and had the same kind of “Download TikTok to start watching” messaging you’d see in a regular version of these text messages.
The attackers actually intercepted the original message request and modified the sent hyperlink, which allowed the attackers to perform a number of actions: adding or deleting videos from a user’s account; changing the privacy of a user’s videos; or retrieving information from a user’s account, like their email address, birthday, or payment information.
What can we learn from this? Simple: Whenever you receive a message from someone—a person, a company, a service, whatever— asking you to do something, stop and consider why you were just sent that message:
Did you request something, and is the message is a (fairly immediate) response to your request? You’re probably fine.
Did the message appear out of nowhere? Be sceptical.
Did the message appear out of nowhere and is it asking you to do something, like download a file or click on a link? Be even more sceptical, and probably don’t do it.
Did the message appear out of nowhere and is it asking you to confirm details about your personal life or your account? Don’t do it. Why would you do that?
It’s that easy, and approaching links and files you’re sent (or apps you’re asked to download) can save you a world of hurt when someone tries to get you to click or run something malicious. Always consider the context of what you’re receiving, and err on the side of not engaging with links or files you’re sent out of the blue.
Obviously, if a friend sends you a link to a funny website or cat GIF in your email, you can be a little less cautious. But it never hurts to hover your mouse over a link to confirm that you’re going to go to a reasonable-looking URL or domain. Consider copying the link and pasting it in an Incognito or Private instance of your browser, just to be sure—if it’s full of unnecessary strings based around an unknown domain, rather than just a standard domain name you’re used to (and a file that ends in .GIF, for example), pause.
In the case of TikTok, you don’t even have to click or tap on links to download the app; go grab it yourself from your favourite app store. But like I said, you should be super-suspicious if you’re being asked to install an app or activate a service when you didn’t initiate the request. And that’s double true if you already have TikTok installed, which should be an obvious sign that someone is trying to mess with you and your account.