A vulnerability in the popular TikTok short-form video-sharing platform could have allowed attackers to easily compile users’ phone numbers, unique user IDs and other data ripe for phishing attacks.
TikTok, owned by ByteDance, has more than 800 million active users worldwide. The vulnerability, which was reported and patched before its disclosure on Tuesday, existed in the “Find Friends” feature of the TikTok mobile app. This feature allows users to find their friends, either via their contacts, via Facebook or by inviting friends.
In order to help users find friends through their contacts, TikTok contained a sync feature for contacts who had TikTok accounts. That means that it is possible to connect profile details with phone numbers. Researchers said an attacker could leverage this feature in order to query TikTok’s entire database – potentially opening up for privacy violations.
“The vulnerability could have allowed an attacker to build a database of user details and their respective phone numbers,” said Oded Vanunu, head of products vulnerabilities research at Check Point. “An attacker with that degree of sensitive information could perform a range of malicious activities, such as spear phishing or other criminal actions.”
The Attack
To launch an attack, a bad actor would need to first bypass TikTok’s HTTP message signing mechanism, which aims to protect threat actors from tampering with HTTP messages or modifying the body of the HTTP request.
Researchers were able to achieve this using TikTok’s own signing service, executed in the background. By using a dynamic analysis framework like Frida, an attacker could hook the function, change the data of the function’s arguments (in this case the contacts the attacker wants to sync) and re-sign the modified request to send to the TikTok application server.
TikTok’s “Find Friends” feature. Credit: Check Point Research
From there, an attacker could automate the process of uploading and syncing contacts at a large scale. This could allow them to build a database of users and their connected phone numbers. Other profile details that would be accessible include the nickname associated with the account, profile and avatar pictures, unique user IDs, as well as certain profile settings, such as whether a user is a follower or if user’s profile is hidden. This type of data can give attackers the tools they need for social-engineering attacks used in phishing and spear-phishing emails. For instance, if an attacker demonstrates to a phishing victim that they have their phone number or unique user ID associated with their TikTok account, the victim is more apt to believe them.
One caveat of note is that this flaw could have only impacted users who had chosen to associate a phone number with their account, or who had logged in with a phone number. Neither of these options is required for users.
Researchers disclosed their findings to ByteDance, which deployed a solution. Now, under the “Find Friends” feature, users can only invite their friends rather than discover contacts that have TikTok accounts.
“The security and privacy of the TikTok community is our highest priority, and we appreciate the work of trusted partners like Check Point in identifying potential issues so that we can resolve them before they affect users,” said a TikTok spokesperson in a statement. “We continue to strengthen our defenses, both by constantly upgrading our internal capabilities such as investing in automation defenses, and also by working with third parties.”
TikTok Flaws
TikTok, which has previously triggered controversy for its privacy policies, earlier in 2020 faced scrutiny over various vulnerabilities found in its platform. Researchers said the most serious vulnerability in the platform could allow attackers to remotely take control over parts of victims’ TikTok account, such as uploading or deleting videos, and changing settings on videos to make “hidden” videos public.
Vanunu urged TikTok users to “share the bare minimum when it comes to your personal data,” and “update your OS and applications to the latest versions.”
Download our exclusive FREE Threatpost Insider eBook Healthcare Security Woes Balloon in a Covid-Era World , sponsored by ZeroNorth, to learn more about what these security risks mean for hospitals at the day-to-day level and how healthcare security teams can implement best practices to protect providers and patients. Get the whole story and DOWNLOAD the eBook now – on us!