Researchers at Check Point discovered a security vulnerability in TikTok that allowed attackers to collect personal data from application users.
The bug found opens access to user profile data, including phone number, unique ID, username, profile photo, as well as some settings, including the option to hide the profile and manage subscriptions. It is reported that the developers have already fixed the security hole.The root of the problem lay in the Find Friends function, which is based on synchronizing contacts. Due to this, the bug only affected those users who have chosen to link their phone number with an account (which is optional) or logged in with their phone number.
The vulnerability worked the following way:
- first, it was required to prepare a list of devices (device identifiers) for requests to the TikTok servers;
- then it was necessary to create a list of session tokens (each valid for 60 days) that will be used for requests to the TikTok servers: the same cookies were used to log in to the system for several weeks;
- bypass the mechanism of signing HTTP messages in TikTok, thereby automating the process of downloading and syncing contacts at any scale;
- combine all of the above into a chain, changing the HTTP requests, and bypassing the electronic signature;
- use different session tokens and device IDs to trick TikTok’s defences and stream data collection.
Let me remind you that Vulnerabilities in TikTok Allowed One-Click Accounts Hacking.
Let me remind you that this is not the first time that Check Point analysts have reported problems with TikTok. In January last year, researchers published a large report that highlighted a range of vulnerabilities in the application.
The bugs allowed an attacker that knew the victim’s phone number to manipulate other people’s accounts and gain access to personal data.