Researchers discovered a vulnerability in TikTok that allowed collecting personal data

by Emma Davis
January 26, 2021
Researchers discovered a vulnerability in TikTok
Written by Emma Davis

Researchers at Check Point discovered a security vulnerability in TikTok that allowed attackers to collect personal data from application users.

The bug found opens access to user profile data, including phone number, unique ID, username, profile photo, as well as some settings, including the option to hide the profile and manage subscriptions. It is reported that the developers have already fixed the security hole.

The root of the problem lay in the Find Friends function, which is based on synchronizing contacts. Due to this, the bug only affected those users who have chosen to link their phone number with an account (which is optional) or logged in with their phone number.

The vulnerability worked the following way:

  • first, it was required to prepare a list of devices (device identifiers) for requests to the TikTok servers;
  • then it was necessary to create a list of session tokens (each valid for 60 days) that will be used for requests to the TikTok servers: the same cookies were used to log in to the system for several weeks;
  • bypass the mechanism of signing HTTP messages in TikTok, thereby automating the process of downloading and syncing contacts at any scale;
  • combine all of the above into a chain, changing the HTTP requests, and bypassing the electronic signature;
  • use different session tokens and device IDs to trick TikTok’s defences and stream data collection.

Let me remind you that Vulnerabilities in TikTok Allowed One-Click Accounts Hacking.

This time, our main task was to research the protection of personal information in TikTok. We decided to check if the platform can be used to obtain personal data of users. It turned out that it can. We managed to bypass several of TikTok’s security mechanisms, thereby violating the privacy of the application. Using this vulnerability, cybercriminals could create a database of users and their phone numbers. Holders of this information would be able to carry out targeted phishing attacks and other criminal activities. We encourage TikTok users to provide as little information about themselves as possible and to regularly update the operating system and applications to the latest version.commented Oded Vanunu, head of Check Point Software Technologies for Product Vulnerability Research.

Let me remind you that this is not the first time that Check Point analysts have reported problems with TikTok. In January last year, researchers published a large report that highlighted a range of vulnerabilities in the application.

The bugs allowed an attacker that knew the victim’s phone number to manipulate other people’s accounts and gain access to personal data.

Sending
User Review
0 (0 votes)
Comments Rating 0 (0 reviews)

About the author

Emma Davis

I'm writer and content manager (a short time ago completed a bachelor degree in Marketing from the Gustavus Adolphus College). For now, I have a deep drive to study cyber security.

View all posts

Leave a Reply

Sending