TikTok, vibrato Overseas, today because of a loophole, once again become the focus of heated debate.
The flaw, popular terms is simple: TikTok infrastructure design based hacker may have the opportunity to send a malicious link to the user, and then "do whatever they want."
Also said vibrato Overseas Edition "home", the door has a problem, the attacker opened the door in - Drafts can open a video, you can further steal account payment information, even further can take over the user accounts.
The researcher found the vulnerability, said: Considering the TikTok 15 million users worldwide, with ulterior motives of the believers eye trouble.
So what exactly is a loophole?
Overseas vibrato security vulnerabilities
Vulnerability discoverer, is a world-renowned Israeli network security company: the Check Point .
Headquartered in Tel Aviv, providing IT security software and hardware services, it is recognized as the world's leading Internet security solutions provider.
This authority, but also to the exposure of TikTok security vulnerabilities concern.
Check Point in attack and defense research and found that vibrato Overseas --TikTok infrastructure design, making hackers have the opportunity to send messages with malicious links to TikTok user.
Through this vulnerability, hackers can manipulate user data, grab personal data privacy .
After the user clicks the link, the attacker can launch further attacks, take over the account, including uploading videos , access to private video .
Specifically, since the user must provide a phone number (with domestic vibrato as) when registering TikTok, hackers can gain access to these codes. So they can masquerade as "TikTok", send information to the user, take over the control of the accounts of victims.
Once the attack is successful, the hacker can almost do whatever they want:
-
Delete videos, upload videos, public private video
-
TikTok will lead the user to force the Web server controlled by hackers, the execution of the operation without user consent request
-
Redirect users to malicious sites masquerading as TikTok
Found loopholes in security personnel also explained:
Due to the lack of anti-CSRF mechanism without consent of the victim, the attacker can execute JavaScript code instead of the victim to perform operations.
And, once an attacker to gain some control of user accounts can be through an API call to obtain the user's private information, including name, email address, payment information and birthdays.
Check Point product vulnerability research director - Odd Vanunu (Oded Vanunu) represent, TikTok has close to 15 million the number of users on a global scale, because of the huge amount of data, this product has become the focus target for hackers.
And because TikTok Such applications can be used on multiple platforms, so it is easy to quickly upgrade malicious attacks.
From this explanation, the also suggests "loophole" in more than vibrato Overseas --TikTok, after all, "the number of 1.5 billion users", it may also take into account the domestic version.
Byte beating Response: vulnerability has been fixed
But this flaw is involved in a domestic version of vibrato? It is not known.
Byte beating the official did not explain and illustrate.
But over time, vulnerabilities are discovered time and submitted that in November 2019, when the Check Point accordance arena rules, the vulnerability reported to the byte beating.
Thereafter December 15, byte beating aspects reply: vulnerabilities have been fixed - use the TikTok name.
However, due to the situation on both sides of the Pacific, and the United States of privacy and security concerns about Chinese company's products, this vulnerability is no longer a security vulnerability that simple.
Recently TikTok, just because the US military is disabled aroused concern.
And now "security vulnerability", is tantamount to fuel.
"New York Times" commented that loophole in the ban after US military soldiers use vibrato, Check Point discovered may make these issues more complex.
Digital Trends also said, TikTok is gaining attention of US lawmakers, like privacy and vulnerability will further exacerbate these concerns.
The New York Times also pointed out that as vibrato users are mainly young people, they may not care much about the security update, which also brought an opportunity for hackers.
Although little is really for, but vibrato Overseas Edition, but also "want crowned shall inherit their weight."
Vibrato in overseas how the fire?
After 2017 for $ 1 billion acquisition of short video applications Musical.ly, beating the byte that has 240 million registered users and vibrato App International Version TikTok were merged into the international market.
此后,抖音这一中国最受欢迎的短视频App,在海外市场也实现了病毒式扩张,成为包括美国、日本、法国、印度等多个国家下载量最高的社交软件,全球用户已接近15亿。
在美国,TikTok有超过1.1亿的下载量,多次进入美国苹果应用商店下载量前三甲。
在日本,据日本电视台NTV报道,移动互联网用户中每十个人里就有一个人使用或下载TikTok。
而据《巴黎人报》报道:38%的法国青少年(11岁至14岁)拥有TikTok账号。
在印度,5亿智能手机用户里,有2亿都是TikTok用户。
其在青少年群体中的发展势头,俨然超过Facebook、Instagram等一众社交媒体。
连Facebook创始人扎克伯格都在内部会议上承认,TikTok是中国科技巨头在世界范围内首个表现出色的消费互联网产品。
就规模而言,我认为TikTok在印度已经超越了Instagram
PG One李小璐视频泄露事件
只不过意外的是,这个被美媒曝光的漏洞事件,有可能解答PG One的“抖音之问”,也有可能还他一个当时“故意炒作”的清白。
2019年10月底,三段李小璐和PGone同框视频,忽然流出,一石激起千层浪。
而且从视频形式、玩法等特点,很快被指向抖音平台。
此前,PG One曾有过复出尝试,于是视频流出后,不少吃瓜网友认为是“故意炒作”,借机复出。
但很快,PG One就长文回应,一方面解释与“嫂子”李小璐为何有如此恩爱视频,另一方面也明确表示视频并非主动为之,并且提出质问:
为什么去年在抖音拍的视频,在没有任何外传的前提下会被放出来?
PG One的粉丝也以此声援:说唱歌手都real,不是就不是,而且确实视频没有平台logo。
其后还进一步有网友爆料,称该视频时抖音员工通过抖音后台,从PGone的草稿箱里下载下来的。
但抖音随即回应:草稿视频不会上传至后台。并表示会进一步展开调查。
当时也有眼尖的网友注意到,在抖音APP端的“隐私政策”中,有这样一条:当您发布音视频时,在点击“发布”确认上传之前,我们可能会将该音视频临时加载至服务器。
总之,一笔吃瓜糊涂账,一堂隐私安全争议课,最后跟大部分娱乐热点一样,很快被遗忘。
抖音官方后续也没有进一步再有公开说明。
TikTok回应漏洞
在漏洞曝光后,抖音海外版也发表了公开回应,英中版本全文如下:
Luke Deshotels, PhD, TikTok Security Team: “TikTok is committed to protecting user data. Like many organizations, we encourage responsible security researchers to privately disclose zero day vulnerabilities to us. Before public disclosure, CheckPoint agreed that all reported issues were patched in the latest version of our app. We hope that this successful resolution will encourage future collaboration with security researchers.”
TikTok安全团队的Luke Deshotels博士表示,“不久前,网络安全公司CheckPoint的研究团队向我们提交了他们发现的TikTok漏洞,我们已经在TikTok的上一版本APP中修复了相关漏洞。我们感谢同时鼓励更多白帽子团队用非公开的方式向我们提供线索,帮助我们发现、修复漏洞,保护用户网络安全。”
至于抖音国内版本是否存在类似漏洞,还没有公开说明,不过如果有抖友担忧,也可以及时更新最新版本。
从iOS版本迭代来看,12月刚好有一次大版本更新,但是否与漏洞修复相关?
版本更新资料和官方声明中都没有说。
关注微信公众号【程序员生活志】不错过一件互联网新鲜事儿
