The issue would have theoretically given hackers access to phone numbers.
A potentially massive vulnerability in TikTok has been patched, preventing the app’s millions of users from inadvertently releasing access to their cell phone numbers. The vulnerability was flagged by Check Point Research, and was identified in TikTok’s friend finder feature. It would “enable the attacker to build a database of users and their related phone numbers, which could then be used for malicious activity,” the threat hunters said.
Check Point has previously identified an issue with TikTok in January 2020, which was fixed, that would have allowed hackers to access personal information saved in users’ accounts, manipulate users’ account details, or take actions on behalf of a user without their consent. “Our primary motivation, this time around, was to explore the privacy of TikTok,” says Ekram Ahmed of Check Point.
“We were curious if the TikTok platform could be used to gain private user data. It turns out that the answer was yes, as we were able to bypass multiple protection mechanisms of TikTok that lead to privacy violation.”
TikTok’s vulnerabilities uncovered
The researchers identified the vulnerability by creating a list of devices (device IDs) that will be used for querying TikTok’s servers, then creating a list of session tokens used to query the servers. Check Point then bypassed TikTok’s HTTP message signing mechanism using their own signing service, executed in the background, and sidestepped all protection mechanisms in the app.
The potential issue for hackers was that they could then allow cybercriminals to theoretically connect profile details and phone numbers. The vulnerability would have only impacted those users who have chosen to associate a phone number with their account (which is not required) or logged in with a phone number.
While neither TikTok nor Check Point could confirm how many people that would affect, Check Point’s Oded Vanunu believes that it would be a significant proportion of TikTok’s user base.
While the potential threat actors would be limited to requesting 500 contacts per day, per user and per device into a database, says Vanunu, they could quite easily create digital alternatives of other devices and call on a much larger scale.
TikTok responds to the concerns
“The security and privacy of the TikTok community is our highest priority, and we appreciate the work of trusted partners like Check Point in identifying potential issues so that we can resolve them before they affect users,” says a TikTok spokesperson. “We continue to strengthen our defences, both by constantly upgrading our internal capabilities such as investing in automation defences, and also by working with third parties.”
It’s a particular issue for TikTok given the young, and large, user base of the app. Around 690 million people worldwide use the app, according to filings in a lawsuit filed in the United States by TikTok against former president Donald Trump, who has spent much of 2020 trying to ban the app. And any concerns about leaking information is amplified by the young user base of TikTok – many of whom are teenagers.
“This is big, because on the day-to-day focus of Check Point we are focusing on cyberwarfare,” says Vanunu.
“All the information relating to user privacy that has so many users is a concern. All the time we ask ourselves how bad actors are so accurate in their attacks.”
This may seem to answer that question. “We always ask ourselves if we can be a legitimate user, will I be able to access the big repository and bypass the security protection to collect data outside my boundaries of the application.”