TikTok Fixes Flaws Allowing Theft Of Private User Information
ByteDance, the tech firm behind TikTok, has addressed a security vulnerability in the video-sharing social networking service which could have allowed attackers to steal users’ private personal information.
TikTok has servers in the countries where its iOS and Android apps operate and it is used for sharing short-form looping mobile videos of 3 to 60 seconds.
The platform’s Android app has more than 1 billion installs according to Google Play Store stats and it has also crossed 2 billion downloads on all mobile platforms in April 2020 according to Sensor Tower Store Intelligence stats.
Private user data exposed to data theft
The security vulnerability found by Check Point researchers in TikTok’s ‘Find Friends’ allowed attackers to bypass the platform’s privacy protections enabling them to gain access to users’ private personal information including but not limited to phone numbers and user IDs.
“Profile details that were accessible via the vulnerability include phone number, nickname, profile and avatar pictures, unique user IDs, as well as certain profile settings, such as whether a user is a follower or if user’s profile is hidden,” Check Point says.
The user information exfiltrated and collected in attacks that would have exploited this TikTok vulnerability could later be used for launching spearphishing attacks and for other types of malicious activity.
Also Read: How to Send Mass Email Without Showing Addresses: 2 Great Workarounds
To exploit this bug and bypass TikTok’s privacy defenses, attackers would have to:
- Create a list of devices (device IDs) that will be used for querying TikTok’s servers.
- Create a list of session tokens (each session token is valid for 60 days) that will be used for querying TikTok’s servers.
- Bypass TikTok’s HTTP message signing mechanism using their own signing service, executed in the background.
- Chain it all together by modifying HTTP requests, resign them and use various session tokens and device IDs to bypass TikTok’s protection mechanisms.
In-depth information on how the vulnerability could be exploited to steal TikTok users’ private info is available in Check Point’s report shared with BleepingComputer in advance.
Vulnerability now fixed
ByteDance addressed the TikTok vulnerability following Check Point’s responsible disclosure, blocking future attempts of circumventing the platform’s privacy safeguards and stealing users’ private data.
“An attacker with that degree of sensitive information could perform a range of malicious activities, such as spear phishing or other criminal actions,” Oded Vanunu, Head of Products Vulnerabilities Research said. “Our message to TikTok users is to share the bare minimum when it comes to your personal data.”
“The security and privacy of the TikTok community is our highest priority, and we appreciate the work of trusted partners like Check Point in identifying potential issues so that we can resolve them before they affect users,” a TikTok spokesperson said in a statement.
“We continue to strengthen our defenses, both by constantly upgrading our internal capabilities such as investing in automation defenses, and also by working with third parties.”
Previously patched vulnerabilities
In January 2020, TikTok addressed another batch of security vulnerabilities in its infrastructure disclosed by Check Point researchers in late November 2019 and allowing attackers to hijack accounts, manipulate users’ videos, and steal their info.
To exploit those vulnerabilities, attackers could abuse TikTok’s SMS system which made it possible to delete videos, make users’ private videos public, and steal their sensitive personal data.
TikTok also fixed two security bugs in November 2020 that could have enabled hackers to take over the accounts of users who signed-up via third-party apps with a single click.
Also Read: How a Smart Contract Audit Works and Why it is Important
In April 2020, TikTok has launched a private bug bounty program and a HackerOne Bug Bounty Program in October 2020 encouraging security researchers to responsibly disclose any security bugs they find in TikTok’s mobile and web apps.
0 Comments