TikTok's open redirection vulnerability is being used in phishing emails
In September 2024 we started seeing phishing emails using links to TikTok as the payload.
Upon further investigation, the links were revealed to be redirection links used to access an URL embedded within a TikTok profile’s bio.
How are TikTok links being used in phishing campaigns?
The campaign uses two types of bulk phishing themes, which we've broken down below.
Type 1
The first type of attack we've seen is Office 365 impersonations.
- These emails will usually trick users into clicking links to: Renew their password
- Keep the same password
- Open a calendar invite
- Listen to a voicemail
Type 2
Document sharing service impersonations, asking users to sign or view documents.
The TikTok phishing link kill-chain
- Step 1: The user receives an email urging them to click the provided link to keep their current password
- Step 2: They check the link before clicking on it, and it appears to link to a legitimate service, TikTok. This makes the email appear more legitimate.
- Step 3: The user clicks on the link and is redirected to a phishing site with a credential harvester.
- Step 4: They input their credentials and are forwarded to a legitimate login page. It seems like a bug, so the user doesn’t become suspicious and report it.
- Step 5: The attacker successfully acquires the user's login credentials.
Here's how the redirection link actually works
TikTok offers users the option to add links into their bio to help drive traffic to their business websites or other social media accounts.
The only requirement is to have a TikTok Business Account (or to have 1,000 followers).
After adding the link to you bio, TikTok also offers a URL which immediately redirects users through the link:
https://www.tiktok.com/link/v2?aid=1988&lang=en&scene=bio_url&target=[LINK]
Since there is no validation happening within the URL, this means anyone can edit the “target=” to change where the link takes you.
For example changing it to target=Youtube.com will redirect you to Youtube without asking for any kind of confirmation or verification from the you, the user.
https://www.tiktok.com/link/v2?aid=1988&lang=en&scene=bio_url&target=Youtube.com
There does seem to be some sort of reputation check involved, as some domains such as geoguesser.com prompt the user to confirm they wish to visit the external website.
Why are open redirection links on websites dangerous?
Open redirection links are a common feature on social media sites, designed to easily guide users to external websites such as promotional pages or affiliate links.
However, their convenience comes with a security risk, as these URLs often lack validation, which allows attackers to exploit them for malicious purposes.
By redirecting users through legitimate and trusted websites, adversaries can avoid raising suspicion and even bypass spam filters that rely on domain reputation.
Masking the final payload behind a redirection link can make it easier for attackers to reach their potential victims.
Mitigation and prevention best practices for organizations
Best practices for users
- Be mindful of social engineering attempts: If an email appears to leverage emotions such as urgency or curiosity, assess the content of the email calmly before interacting with it.
- Verify any links before clicking on them: Open redirects rarely have relevant websites on them, so seeing a link to TikTok on an email related to your Office 365 password is a red flag and should raise suspicion.
- Hover over links before clicking: If receiving an email you're not expecting, user your mouse to hover over the link to check where the URL is taking you.
- Be wary of shortened URLs: Shortened URLs (e.g. Bitly, TinyURL) can mask the true destination. Always verify shortened links using a URL expander before clicking on them.
- Look for suspicious URL parameters: Attackers often add extra parameters to URLs for open redirections, such as "redirect=" or "go=" followed by an unfamiliar website. If you see this in the URL, avoid clicking on it.
- Participate in regular training: Make sure employees are being sent phishing training simulations. Frequent training reinforces good habits and helps employees identify real-life, sophisticated attacks.
How can platforms like TikTok secure open redirections?
- Users should always be warned about a redirect. This allows them to review the destination URL and decide if they wish to proceed.
- The URLs should be validated to prevent attackers from manipulating the destination of the redirect. This can involve stripping dangerous characters, verifying that the URL is not external, or confirming it matches a trusted list.
- Implement a URL whitelist where only approved, trusted domains can be used for redirections. This ensures that any redirection is limited to pre-defined, secure domains.
- Instead of allowing full URLs, limit redirections to relative paths. This approach ensures that the redirect is only within the site and can't direct users to external, potentially harmful sites.
- Ensure logging and monitoring are in place to detect abnormal patterns in redirections. This can include tracking user reports or detecting an unusually high number of redirects to unapproved sites.
Sources
- Trusted Domain, Hidden Danger: Deceptive URL Redirections in Email Phishing Attacks – Trustwave, 2023
- Phishing Tactics: How Attackers Use Open Redirects – Phishing.org, 2023
- How to Identify Phishing Emails and Prevent Identity Theft – Cyber.gov.au, 2023
- Top Phishing Avoidance Tips – FTC, 2023
- Phishing Reporting Best Practices – Verizon DBIR, 2023
- Subscribe to All Things Human Risk to get a monthly round up of our latest content
- Request a demo for a customized walkthrough of Hoxhunt