TikTok: severe vulnerability to sensitive user data discovered

TikTok: severe vulnerability to sensitive user data discovered

A new vulnerability in TikTok allows access to sensitive user data, including phone number

Check Point Research (CPR), the Threat Intelligence division of Check Point Software Technologies, the leading provider of cybersecurity solutions globally, has identified a new vulnerability in the TikTok app, after he had already discovered another one at the turn of 2019 and 2020.

The new flaw, found in TikTok’s “Find Friends” feature, would allow you to bypass the privacy protections created to defend app users. If left unpatched, the vulnerability would allow a hacker to access the details of a user’s profile and also their phone number associated with his account, giving the possibility to build a database to be used for illegal activities.

TikTok: severe vulnerability to sensitive user data discovered

Profile details accessible through this flaw include: phone number, nickname, profile and avatar pictures, unique user IDs, and some profile settings, such as the one that allows a user to be a follower. public or anonymous.

The steps that allowed to exploit the vulnerability

How could the hacker exploit the vulnerability? Here are the various steps:

  • The attacker created a list of devices with their IDs, which were then used to query TikTok’s servers.
  • He then created a list of session tokens (each valid for 60 days) that will be used to query the TikTok servers.
  • It bypassed TikTok’s HTTP digital signature mechanism using its own signature service, which runs in the background.
  • Finally, he tied it all up by modifying HTTP requests, re-signing them, and using various tokens and IDs to bypass TikTok’s defense systems.
  • Communication from the Head of Check Point Research and TikTok

    Check Point Researc communicated its findings to ByteDance, the manufacturer of TikTok. Subsequently, an update was released to ensure the safety of TikTok users.

    TikTok: severe vulnerability to sensitive user data discovered

    Comment by Oded Vanunu, Head of Products Vulnerabilities Research di Check Point:

    “Our logic this time around was to test TikTok’s privacy. We were curious to know if the platform could be used by hackers to obtain users’ private data; and the answer is yes, as we were able to bypass more of TikTok’s defense mechanisms. This vulnerability could have allowed an attacker to build a detailed database of users which, with that degree of sensitive information, would have allowed the attacker to perform a variety of criminal activities such as spear phishing. Our advice to TikTok users, and not only, is to share their personal data only when strictly necessary and above all to always update the operating system and applications to the latest versions. “

    TikTok he has declared:

    “The security and privacy of the TikTok community is our top priority, and we appreciate the work of trusted partners like Check Point in identifying potential problems so they can be resolved before they affect users. We continue to strengthen our defenses, both by constantly updating our internal capabilities such as investing in automation defenses, and by working with third parties. “

    What do you think about it? Let us know in the comments and keep following us on the TechGameWorld.com pages where you can find the latest news and more.