Cybersecurity researchers on Tuesday disclosed a now-patched security flaw in TikTok that could have potentially enabled an attacker to build a database of the app’s users and their associated phone numbers for future malicious activity.
Although this flaw only impacts those users who have linked a phone number with their account or logged in with a phone number, successful exploitation of the vulnerability could have resulted in data leakage and privacy violation, Check Point Research said in an analysis shared with The Hacker News.
TikTok has deployed a fix to address the shortcoming following responsible disclosure from Check Point researchers.
The newly discovered bug resides in TikTok’s “Find friends” feature that allows users to sync their contacts with the service to identify potential people to follow.
The contacts are uploaded to TikTok via an HTTP request in the form of a list that consists of hashed contact names and the corresponding phone numbers.
The app, in the next step, sends out a second HTTP request that retrieves the TikTok profiles connected to the phone numbers sent in the previous request. This response includes profile names, phone numbers, photos, and other profile related information.
While the upload and sync contact requests are limited to 500 contacts per day, per user, and per device, Check Point researchers found a way to get around the limitation by getting hold of the device identifier, session cookies set by the server, a unique token called “X-Tt-Token” that’s set when logging into the account with SMS and simulate the whole process from an emulator running Android 6.0.1.
It’s worth noting that in order to request data from the TikTok application server, the HTTP requests must include X-Gorgon and X-Khronos headers for server verification, which ensures that the messages are not tampered with.
But by modifying the HTTP requests — the number of contacts the attacker wants to sync — and re-signing them with an updated message signature, the flaw made it possible to automate the procedure of uploading and syncing contacts on a large scale and create a database of linked accounts and their connected phone numbers.
This is far from the first time the popular video-sharing app has been found to contain security weaknesses.
In January 2020, Check Point researchers discovered multiple vulnerabilities within the TikTok app that could have been exploited to get hold of user accounts and manipulate their content, including deleting videos, uploading unauthorized videos, making private “hidden” videos public, and revealing personal information saved on the account.
Then in April, security researchers Talal Haj Bakry and Tommy Mysk exposed flaws in TikTok that made it possible for attackers to display forged videos, including those from verified accounts, by redirecting the app to a fake server hosting a collection of fake videos.
Eventually, TikTok launched a bug bounty partnership with HackerOne last October to help users or security professionals flag technical concerns with the platform. Critical vulnerabilities (CVSS score 9 – 10) are eligible for payouts between $6,900 to $14,800, according to the program.
“Our primary motivation, this time around, was to explore the privacy of TikTok,” said Oded Vanunu, head of products vulnerabilities research at Check Point. “We were curious if the TikTok platform could be used to gain private user data. It turns out that the answer was yes, as we were able to bypass multiple protection mechanisms of TikTok that lead to privacy violation.”
“An attacker with that degree of sensitive information could perform a range of malicious activities, such as spear phishing or other criminal actions.”