Zero-day TikTok Vulnerability allows Attackers to Collecting Personal Data of Users

Checkpoint has discovered a flaw in the Find Friends feature in TikTok. If not addressed, this vulnerability could allow attackers to gain access to personal data in user profiles, including the phone number associated with the account, nickname, unique user ID, profile photo, as well as some settings, including the ability to hide the profile and manage subscriptions. Attackers can use the received information for criminal purposes.

According to TikTok, 100 million people worldwide become new users of the app every month, and the number of downloads has already exceeded 2 billion - this is three times more than in 2018. Analysts at mobile data company App Annie predict that TikTok will reach 1 billion monthly active users in 2021, and the app will catch up with Facebook, Instagram, Messenger, WhatsApp, YouTube and WeChat in popularity.

To ensure that TikTok users do not have to worry about their personal information, a team of experts at Check Point Research conducted a study and reported the vulnerability found to ByteDance, the developer of TikTok. A solution was urgently deployed to address the issue so that TikTok users can continue to use the app safely.

How attackers could use the vulnerability:

  • 1. First, you would need to create a list of devices (device IDs) for queries to the TikTok servers.

  • 2. Next, create a list of session tokens (each valid for 60 days) that will be used for requests to the TikTok servers.

  • 3. Bypass the TikTok HTTP signature mechanism by replacing the digital signature service running in the background.

  • 4. Combine all this in a chain, changing HTTP requests, and replace their electronic signature

  • 5. Use different session tokens and device IDs to bypass TikTok's security mechanisms.

Researchers at Check Point Research have found vulnerabilities in TikTok twice. For the first time, on January 8, 2020, a document was published on the Check Point Research blog that reported a set of vulnerabilities that could be used by attackers to gain access to personal information stored in accounts or take action on behalf of a user without their consent.

“This time, our main task was to research the protection of personal information in TikTok. We decided to check if the platform can be used to obtain personal data of users. It turned out that you can. We were able to bypass several of TikTok's security mechanisms, thereby violating the privacy of the application. Using this vulnerability, cybercriminals could create a database of users and their phone numbers. Holders of this information would be able to carry out targeted phishing attacks and other criminal activities. We urge TikTok users to provide as little information about themselves as possible and regularly update the operating system and applications to the latest version, ”commented Oded Vanunu, head of Check Point Software Technologies for Product Vulnerability Research.

“The security and privacy of TikTok users' data is our top priority. We value the help of trusted partners like Check Point to help us detect potential threats before they affect users. We continue to strengthen our security — improving our internal capabilities, increasing investment in automated security systems, and partnering with other organizations, ”says a TikTok spokesperson.

Previous Post Next Post