Select Page
Checkpoint Uncovers Another Privacy Bug On TikTok App
January 27, 2021

Researchers have found a vulnerability in TikTok which ought to have allowed attackers to harvest users’ smartphone numbers and private profile details.

Check Point revealed today that the flaw, which has now been fixed by the famous social network, was found in the app’s “Find Friends” feature.

The problem stems from the fact that TikTok lets in customers to sync their telephone contacts with the app, for that reason connecting user profiles with telephone numbers.

If exploited, the flaw could have allowed attackers to bypass the app’s HTTP message signing to login, and then sync contacts to find out the profiles of all the TikTok customers in the victim’s cellphone book.

Worse still, the SMS log-in system from a mobile device involved TikTok servers generating a token and session cookies, however these did not expire for 60 days, meaning an attacker could use the same cookies to login for weeks.

Among the profile details uncovered by using the vulnerability are TikTok nickname, profile and avatar pictures, unique user IDs and settings including whether a user is a follower or if a user’s profile is hidden.

Checkpoint head of products vulnerabilities research, Oded Vanunu, stated his group was curious to see if the TikTok platform should be used to attain access to personal user data.

“We were able to bypass multiple protection mechanisms of TikTok, that led to privacy violation. The vulnerability should have allowed an attacker to build a database of user details and their respective telephone numbers,” he explained.

“An attacker with that degree of touchy information could operate a vary of malicious activities, such as spear phishing or other crooked actions. Our message to TikTok customers is to share the bare minimum, when it comes to your private data, and to upgrade your phone’s operating system and applications to the latest versions.”

A TikTok statement acknowledged the work of “trusted partners” like CheckPoint in making the platform safer for users. “We proceed to strengthen our defenses, both by continuously upgrading our internal capabilities such as investing in automation defenses, and also by working with third parties,” it added.

More Articles

Understanding Network Security and Defence

Understanding Network Security and Defence

About The Understanding Network Security and DefenceThe Workshop is intended to help participants to understand defensive security. It is built on the concept of “The best defense is a good offense”. Network security professionals need to look beyond the configuration...

The Zero Trust Security (ZTS) Workshop

The Zero Trust Security (ZTS) Workshop

About The Zero Trust Security (ZTS) workshopThe Zero Trust Security workshop is design to provide a strong introduction of Zerto Trust Security to the participants. It is about the new way of a holistic focus on security. The participants will learn about the...