New TikTok vulnerability exposed private user data
January 2021 by Check Point
Researchers at cyber-security specialist Check Point Research have identified a security vulnerability in TikTok’s ‘Find Friends’ feature. If left unpatched, the vulnerability would have enabled an attacker to access a user’s profile details and the phone number associated with their account, making it possible to build a database of users and their related phone numbers for use in malicious activity.
• Profile details accessible via latest vulnerability include phone number, nickname, profile and avatar pictures, unique user IDs and more
• CPR responsibly disclosed research findings to TikTok. A fix has been deployed.
• CPR researchers have twice found security flaws in TikTok.
Profile details that were accessible via the vulnerability include the user’s phone number, TikTok nickname, profile and avatar pictures, unique user IDs, as well as certain profile settings, such as whether a user is a follower or if a user’s profile is hidden.
Researchers found the TikTok app enabled ‘contacts syncing’, meaning that a user can sync their contacts on their phone to easily find people they may know on TikTok. This makes it possible to connect users’ profile details to their phone numbers, if those users have linked a phone number with their account or logged in with a phone number.
With those phone numbers and profile details, attackers could potentially access further information related to users, obtained outside of TikTok such as searching for other accounts or data available. The process is as follows:
Step 1 – Creating a list of devices (registering physical devices) – each time it is launched, the TikTok app performs a process of device registration to make sure that users are not switching between devices.
Step 2 – Creating a list of session tokens which do not expire for 60 days – during the SMS login process from a mobile device, TikTok servers validate the data by generating a token and session cookies. Researchers found that the session cookies and the token values expire after 60 days which meant they could use the same cookies to login for weeks.
Step 3 - Bypassing TikTok’s HTTP Message Signing – researchers found that a threat actor can successfully manipulate the sign-in process by bypassing TikTok’s HTTP Message signing, thereby automating the process of uploading and syncing contacts at scale, which would eventually build a database of users and their connected phone numbers for the threat actor to potentially target.
Check Point Rresearch responsibly disclosed its findings to ByteDance, the maker of TikTok. A solution was responsibly deployed to ensure TikTok users can continue using the application safely.
Oded Vanunu, Head of Products Vulnerabilities Research at Check Point said: “Our primary motivation was to explore the privacy of TikTok. We were curious to see if the TikTok platform could be used to gain access to private user data. We were able to bypass multiple protection mechanisms of TikTok, that led to privacy violation. The vulnerability could have allowed an attacker to build a database of user details and their respective phone numbers. An attacker with that degree of sensitive information could perform a range of malicious activities, such as spear phishing or other criminal actions. Our message to TikTok users is to share the bare minimum, when it comes to your personal data, and to update your phone’s operating system and applications to the latest versions.”
“The security and privacy of the TikTok community is our highest priority, and we appreciate the work of trusted partners like Check Point in identifying potential issues so that we can resolve them before they affect users. We continue to strengthen our defenses, both by constantly upgrading our internal capabilities such as investing in automation defenses, and also by working with third parties."
CPR has now twice found security flaws in TikTok. On January 8, 2020, CPR published a paper on a set of vulnerabilities that could have allowed a threat actor to access personal information saved in a users’ accounts, manipulate users’ account details, or take actions on behalf of a user without their consent.
TikTok is reportedly adding 100M users monthly, and has surpassed 2 billion downloads globally, meaning it has nearly tripled in size since 2018. In 2021, mobile data and analytics firm App Annie expects TikTok to not only join the 1 billion monthly active user (MAU) club alongside Facebook, Instagram, Messenger, WhatsApp, YouTube and WeChat; it also predicts TikTok will sail past the 1 billion MAU milestone to reach 1.2 billion average monthly active users.