IT Pro is supported by its audience. When you purchase through links on our site, we may earn an affiliate commission. Learn more

TikTok vulnerability exposed private user data

Security researchers have discovered that the app's 'Find Friends' feature allows hackers to access user details

Security researchers have discovered a flaw in TikTok that, if exploited, could expose users’ private data and enable an attacker to steal data on users’ contacts too.

According to Check Point Research, whose researchers discovered the flaw, if left unpatched, the vulnerability would have enabled an attacker to access a user’s phone number, TikTok nickname, profile and avatar pictures, unique user IDs, as well as certain profile settings, such as whether a user is a follower or if a user’s profile is hidden.

Researchers discovered the vulnerability in the TikTok app’s 'Find Friends' feature. This uses contacts syncing, which allows users to sync their contacts on their phone to easily find people they may know on TikTok. This makes it possible to connect users’ profile details to their phone numbers.

With those phone numbers and profile details, attackers could potentially access further information related to users, obtained outside of TikTok, such as searching for other accounts or data available.

Researchers described the process of exploiting the flaw. Each time a user launches the TikTok app, it performs a process of device registration to make sure users aren’t switching between devices.

Related Resource

How LogPoint uses MITRE ATT&CK

Stronger cyber security with MITRE ATT&CK

How to improve your cyber security with MITRE ATT&CK - A LogPoint whitepaperDownload now

During the SMS login process from a mobile device, TikTok servers validate the data by generating a token and session cookies. Researchers found the session cookies and token values expire after 60 days, meaning they could use the same cookies to log in for weeks.

Lastly, researchers found that a threat actor can successfully manipulate the sign-in process by bypassing TikTok’s HTTP Message signing, thereby automating the process of uploading and syncing contacts at scale, eventually building a database of users and their connected phone numbers for the threat actor to target.

Check Point Research responsibly disclosed its findings to ByteDance, TikTok’s maker, and the company deployed an updated version of the app to users.

Oded Vanunu, head of products vulnerabilities research at Check Point, said the primary motivation of the research was to explore the privacy of TikTok.

“We were curious to see if the TikTok platform could be used to gain access to private user data. We were able to bypass multiple protection mechanisms of TikTok, that led to privacy violations,” he said.

With the vulnerability enabling a hacker to build a database of user details and their respective phone numbers, they would have access to sensitive information and could perform a range of malicious activities, such as spear phishing or other criminal actions.

“Our message to TikTok users is to share the bare minimum, when it comes to your personal data, and to update your phone’s operating system and applications to the latest versions,” Vanunu said.

Featured Resources

2022 State of the multi-cloud report

What are the biggest multi-cloud motivations for decision-makers, and what are the leading challenges

Free Download

The Total Economic Impact™ of IBM robotic process automation

Cost savings and business benefits enabled by robotic process automation

Free Download

Multi-cloud data integration for data leaders

A holistic data-fabric approach to multi-cloud integration

Free Download

MLOps and trustworthy AI for data leaders

A data fabric approach to MLOps and trustworthy AI

Free Download

Recommended

2022 IBM's Security X-Force cloud threat landscape report
Whitepaper

2022 IBM's Security X-Force cloud threat landscape report

22 Nov 2022
2022 Magic quadrant for Security Information and Event Management (SIEM)
Whitepaper

2022 Magic quadrant for Security Information and Event Management (SIEM)

22 Nov 2022
Seven realities facing SMBs as they enter a future of increased cyber threats
Whitepaper

Seven realities facing SMBs as they enter a future of increased cyber threats

21 Nov 2022
The top 12 password-cracking techniques used by hackers
Security

The top 12 password-cracking techniques used by hackers

14 Nov 2022

Most Popular

The top 12 password-cracking techniques used by hackers
Security

The top 12 password-cracking techniques used by hackers

14 Nov 2022
How to boot Windows 11 in Safe Mode
Microsoft Windows

How to boot Windows 11 in Safe Mode

15 Nov 2022
Interpol arrests nearly 1,000 cyber criminals in months-long anti-fraud operation
cyber crime

Interpol arrests nearly 1,000 cyber criminals in months-long anti-fraud operation

25 Nov 2022