Categories: News

TikTok: severe vulnerability to sensitive user data discovered

A new vulnerability in TikTok allows access to sensitive user data, including phone number

Check Point Research (CPR), the Threat Intelligence division of Check Point Software Technologies, the leading provider of cybersecurity solutions globally, has identified a new vulnerability in the TikTok app, after he had already discovered another one at the turn of 2019 and 2020.

The new flaw, found in TikTok’s “Find Friends” feature, would allow you to bypass the privacy protections created to defend app users. If left unpatched, the vulnerability would allow a hacker to access the details of a user’s profile and also their phone number associated with his account, giving the possibility to build a database to be used for illegal activities.

Profile details accessible through this flaw include: phone number, nickname, profile and avatar pictures, unique user IDs, and some profile settings, such as the one that allows a user to be a follower. public or anonymous.

The steps that allowed to exploit the vulnerability

How could the hacker exploit the vulnerability? Here are the various steps:

  • The attacker created a list of devices with their IDs, which were then used to query TikTok’s servers.
  • He then created a list of session tokens (each valid for 60 days) that will be used to query the TikTok servers.
  • It bypassed TikTok’s HTTP digital signature mechanism using its own signature service, which runs in the background.
  • Finally, he tied it all up by modifying HTTP requests, re-signing them, and using various tokens and IDs to bypass TikTok’s defense systems.
  • Communication from the Head of Check Point Research and TikTok

    Check Point Researc communicated its findings to ByteDance, the manufacturer of TikTok. Subsequently, an update was released to ensure the safety of TikTok users.

    Comment by Oded Vanunu, Head of Products Vulnerabilities Research di Check Point:

    “Our logic this time around was to test TikTok’s privacy. We were curious to know if the platform could be used by hackers to obtain users’ private data; and the answer is yes, as we were able to bypass more of TikTok’s defense mechanisms. This vulnerability could have allowed an attacker to build a detailed database of users which, with that degree of sensitive information, would have allowed the attacker to perform a variety of criminal activities such as spear phishing. Our advice to TikTok users, and not only, is to share their personal data only when strictly necessary and above all to always update the operating system and applications to the latest versions. “

    TikTok he has declared:

    “The security and privacy of the TikTok community is our top priority, and we appreciate the work of trusted partners like Check Point in identifying potential problems so they can be resolved before they affect users. We continue to strengthen our defenses, both by constantly updating our internal capabilities such as investing in automation defenses, and by working with third parties. “

    What do you think about it? Let us know in the comments and keep following us on the pages where you can find the latest news and more.

    Published by
    Janice J. Mills

    Recent Posts

    Italians do not give up on the Internet on vacation: Selectra data

    According to a recent one Selectra investigation, solo 4% of Italians spend their holidays without…

    4 hours ago

    7 tips to maximize energy savings in the summer

    The energy crisis and the rise in electricity prices make the energy saving. The electricity…

    5 hours ago

    Panda Security’s tips for maximizing PC security

    Panda Security has compiled a list of 10 useful tips to maximize the safety of…

    6 hours ago

    Spongebob Squarepants: The Cosmic Shake, ecco il primo gameplay trailer!

    During the THQ showcase, the first gameplay trailer of SpongeBob Squarepants: The Cosmic Shake, the…

    9 hours ago

    Digimon Survive: Best Answers to Get Meramon

    Let's find out together, in this short guide, what are the best answers to give…

    10 hours ago

    Destroy All Humans 2 Reprobed: PC version requirements

    Recently, through the official page on Steam, THQ Nordic revealed the minimum and recommended system…

    15 hours ago