TikTok Bug Could Have Exposed Users’ Profile Data and Phone Numbers

  • Cybersecurity scientists on Tuesday disclosed a now-patched security flaw in TikTok that could have perhaps enabled an attacker to construct a database of the app’s buyers and their affiliated phone quantities for future malicious exercise.

    Although this flaw only impacts all those users who have linked a phone quantity with their account or logged in with a phone number, effective exploitation of the vulnerability could have resulted in details leakage and privacy violation, Check Position Investigate reported in an investigation shared with The Hacker Information.

    TikTok has deployed a resolve to tackle the shortcoming pursuing responsible disclosure from Check out Place scientists.

    The freshly uncovered bug resides in TikTok’s “Find friends” feature that makes it possible for buyers to sync their contacts with the support to detect potential persons to observe.

    The contacts are uploaded to TikTok via an HTTP ask for in the kind of a list that consists of hashed get in touch with names and the corresponding phone numbers.

    The application, in the next move, sends out a 2nd HTTP request that retrieves the TikTok profiles linked to the phone figures despatched in the past ask for. This response consists of profile names, phone quantities, pictures, and other profile linked info.

    Even though the upload and sync make contact with requests are limited to 500 contacts per working day, for each user, and for each unit, Check Issue researchers observed a way to get around the limitation by acquiring keep of the product identifier, session cookies set by the server, a exclusive token called “X-Tt-Token” which is established when logging into the account with SMS and simulate the whole method from an emulator operating Android 6..1.

    It’s truly worth noting that in order to request facts from the TikTok application server, the HTTP requests should include things like X-Gorgon and X-Khronos headers for server verification, which assures that the messages are not tampered with.

    But by modifying the HTTP requests — the amount of contacts the attacker wants to sync — and re-signing them with an updated information signature, the flaw created it attainable to automate the treatment of uploading and syncing contacts on a significant scale and generate a databases of connected accounts and their related phone numbers.

    This is significantly from the very first time the well known movie-sharing app has been uncovered to comprise security weaknesses.

    In January 2020, Examine Position researchers discovered numerous vulnerabilities in the TikTok app that could have been exploited to get maintain of consumer accounts and manipulate their information, together with deleting films, uploading unauthorized movies, making non-public “hidden” videos public, and revealing particular information and facts saved on the account.

    Then in April, security scientists Talal Haj Bakry and Tommy Mysk uncovered flaws in TikTok that produced it doable for attackers to display cast videos, which include those people from confirmed accounts, by redirecting the app to a pretend server hosting a collection of fake movies.

    Sooner or later, TikTok introduced a bug bounty partnership with HackerOne last Oct to enable customers or security experts flag complex fears with the platform. Critical vulnerabilities (CVSS score 9 – 10) are qualified for payouts in between $6,900 to $14,800, in accordance to the method.

    “Our key motivation, this time all over, was to discover the privacy of TikTok,” explained Oded Vanunu, head of merchandise vulnerabilities exploration at Check out Point. “We were curious if the TikTok platform could be utilized to achieve private user knowledge. It turns out that the reply was of course, as we have been able to bypass several safety mechanisms of TikTok that lead to privacy violation.”

    “An attacker with that diploma of delicate information could carry out a assortment of malicious routines, these as spear phishing or other legal actions.”

    Uncovered this short article attention-grabbing? Comply with THN on Facebook, Twitter  and LinkedIn to go through far more distinctive written content we post.