Researchers have found a vulnerability in TikTok which ought to have allowed attackers to harvest users’ smartphone numbers and private profile details.
Check Point revealed today that the flaw, which has now been fixed by the famous social network, was found in the app’s “Find Friends” feature.
The problem stems from the fact that TikTok lets in customers to sync their telephone contacts with the app, for that reason connecting user profiles with telephone numbers.
If exploited, the flaw could have allowed attackers to bypass the app’s HTTP message signing to login, and then sync contacts to find out the profiles of all the TikTok customers in the victim’s cellphone book.
Worse still, the SMS log-in system from a mobile device involved TikTok servers generating a token and session cookies, however these did not expire for 60 days, meaning an attacker could use the same cookies to login for weeks.
Among the profile details uncovered by using the vulnerability are TikTok nickname, profile and avatar pictures, unique user IDs and settings including whether a user is a follower or if a user’s profile is hidden.
Checkpoint head of products vulnerabilities research, Oded Vanunu, stated his group was curious to see if the TikTok platform should be used to attain access to personal user data.
“We were able to bypass multiple protection mechanisms of TikTok, that led to privacy violation. The vulnerability should have allowed an attacker to build a database of user details and their respective telephone numbers,” he explained.
“An attacker with that degree of touchy information could operate a vary of malicious activities, such as spear phishing or other crooked actions. Our message to TikTok customers is to share the bare minimum, when it comes to your private data, and to upgrade your phone’s operating system and applications to the latest versions.”
A TikTok statement acknowledged the work of “trusted partners” like CheckPoint in making the platform safer for users. “We proceed to strengthen our defenses, both by continuously upgrading our internal capabilities such as investing in automation defenses, and also by working with third parties,” it added.