TikTok Vulnerability Exposed Users’ Personal Data

By Ava McKinneyOnline Safety

TikTok Vulnerability Allowed Collection of Users’ Personal Data

Researchers from Check Point discovered a security issue in TikTok that allowed access to users’ profile data, including phone numbers, unique IDs, usernames, profile photos, and certain settings such as the ability to hide a profile and manage subscriptions. According to reports, TikTok developers have already fixed the vulnerability.

How the Vulnerability Worked

The root of the problem was in the “Find Friends” feature, which is based on contact synchronization. This bug only affected users who chose to link their phone number to their account (which is optional) or logged in using their phone number.

The vulnerability operated as follows:

  • First, attackers needed to prepare a list of device identifiers for requests to TikTok’s servers.
  • Next, they had to create a list of session tokens (each valid for 60 days) to use for requests to TikTok’s servers. The same cookies could be used to log in for several weeks.
  • They bypassed TikTok’s HTTP message signing mechanism, automating the process of uploading and syncing contacts at any scale.
  • All of the above was combined into a chain by modifying HTTP requests and bypassing the electronic signature.
  • By using various session tokens and device identifiers, attackers could trick TikTok’s security mechanisms and automate data collection.

Potential Risks and Recommendations

“This time, our main goal was to investigate the protection of personal information in TikTok. We wanted to see if the platform could be used to obtain users’ personal data. It turned out it could. We managed to bypass several TikTok security mechanisms, thus compromising the app’s confidentiality. Using this vulnerability, cybercriminals could have created a database of users and their phone numbers. With this information, they could carry out targeted phishing attacks and other criminal activities. We urge TikTok users to provide as little personal information as possible and to regularly update their operating system and apps to the latest version,” commented Oded Vanunu, Head of Product Vulnerability Research at Check Point Software Technologies.

Previous TikTok Security Issues

This is not the first time Check Point analysts have reported problems with TikTok. In January of last year, researchers published a detailed report describing a number of vulnerabilities in the app. Those bugs allowed attackers who knew a victim’s phone number to manipulate other people’s accounts and access personal data.

Source

Our other channels

Our friends and partners

Leave a Reply