Check Point Research (CPR) has recently revealed a vulnerability in operation "Finding friends" of TikTok bypassing them privacy protections.
ΑIf this vulnerability was not addressed it would allow an attacker to access user profile details and phone numbers associated with their account, making it possible to create an information database for use in malicious activity in the future.
CPR investigators twice found security flaws in TikTok. The most recently accessible profiles through the vulnerability include: phone number, nickname, profile pictures and avatar, unique user IDs, and some profile settings, such as whether the user is a follower or whether their profile is locked.
How intruders can exploit this vulnerability:
- Create a list of device IDs that will be used to search for TikTok servers.
- Create a list of token-specific tokens (each token is valid for 60 days) that will be used to search for TikTok servers.
- Bypass TikTok's HTTP message signing mechanism using their own background signing service.
- Connect all of the above by modifying HTTP requests, ignoring them and using various tokens and device IDs to bypass TikTok protection mechanisms.
The steps that followed Check Check Research and ByteDance…
CPR responsibly disclosed its findings to TikTok manufacturer ByteDance. The positive was that its creators TikTok have developed a solution to ensure that TikTok users can continue to use the application safely.
In her previous research on TikTok, CPR had already twice found security flaws in it.
On January 8, 2020, CPR published a paper on a set of vulnerabilities that could allow a threat agent to gain access to personal information
stored in user accounts, manipulate user account information, or take action on behalf of a user without his or her consent.
Oded Vanunu, Head of Product Vulnerability Research at Check Point stated:
An intruder with this level of sensitive information could commit a number of malicious activities, such as cyber fishing or other criminal activities. Our message to TikTok users is to share little of their personal data. As well as update their operating system and applications to the latest versions.
A TikTok spokesman said:
Do not forget to follow it Xiaomi-miui.gr on Google News to be informed immediately about all our new articles!