fbpx
Frame-14

Privacy Ninja

        • DATA PROTECTION

        • CYBERSECURITY

        • Penetration Testing

          Secure your network against various threat points. VA starts at only S$1,000, while VAPT starts at S$4,000. With Price Beat Guarantee!

        • API Penetration Testing

        • Enhance your digital security posture with our approach that identifies and addresses vulnerabilities within your API framework, ensuring robust protection against cyber threats targeting your digital interfaces.

        • On-Prem & Cloud Network Penetration Testing

        • Boost your network’s resilience with our assessment that uncovers security gaps, so you can strengthen your defences against sophisticated cyber threats targeting your network

        • Web Penetration Testing

        • Fortify your web presence with our specialised web app penetration testing service, designed to uncover and address vulnerabilities, ensuring your website stands resilient against online threats

        • Mobile Penetration Testing

        • Strengthen your mobile ecosystem’s resilience with our in-depth penetration testing service. From applications to underlying systems, we meticulously probe for vulnerabilities

        • Cyber Hygiene Training

        • Empower your team with essential cybersecurity knowledge, covering the latest vulnerabilities, best practices, and proactive defence strategies

        • Thick Client Penetration Testing

        • Elevate your application’s security with our thorough thick client penetration testing service. From standalone desktop applications to complex client-server systems, we meticulously probe for vulnerabilities to fortify your software against potential cyber threats.

        • Source Code Review

        • Ensure the integrity and security of your codebase with our comprehensive service, meticulously analysing code quality, identifying vulnerabilities, and optimising performance for various types of applications, scripts, plugins, and more

        • Email Spoofing Prevention

        • Check if your organisation’s email is vulnerable to hackers and put a stop to it. Receive your free test today!

        • Email Phishing Excercise

        • Strengthen your defense against email threats via simulated attacks that test and educate your team on spotting malicious emails, reducing breach risks and boosting security.

        • Cyber Essentials Bundle

        • Equip your organisation with essential cyber protection through our packages, featuring quarterly breached accounts monitoring, email phishing campaigns, cyber hygiene training, and more. LAUNCHING SOON.

I'VE BEEN BREACHED

TikTok Fixes Flaws Allowing Theft Of Private User Information

TikTok Fixes Flaws Allowing Theft Of Private User Information

Image: Christoph Scholz

ByteDance, the tech firm behind TikTok, has addressed a security vulnerability in the video-sharing social networking service which could have allowed attackers to steal users’ private personal information.

TikTok has servers in the countries where its iOS and Android apps operate and it is used for sharing short-form looping mobile videos of 3 to 60 seconds.

The platform’s Android app has more than 1 billion installs according to Google Play Store stats and it has also crossed 2 billion downloads on all mobile platforms in April 2020 according to Sensor Tower Store Intelligence stats.

Private user data exposed to data theft

The security vulnerability found by Check Point researchers in TikTok’s ‘Find Friends’ allowed attackers to bypass the platform’s privacy protections enabling them to gain access to users’ private personal information including but not limited to phone numbers and user IDs.

“Profile details that were accessible via the vulnerability include phone number, nickname, profile and avatar pictures, unique user IDs, as well as certain profile settings, such as whether a user is a follower or if user’s profile is hidden,” Check Point says.

The user information exfiltrated and collected in attacks that would have exploited this TikTok vulnerability could later be used for launching spearphishing attacks and for other types of malicious activity.

Also Read: How to Send Mass Email Without Showing Addresses: 2 Great Workarounds

To exploit this bug and bypass TikTok’s privacy defenses, attackers would have to:

  1. Create a list of devices (device IDs) that will be used for querying TikTok’s servers.
  2. Create a list of session tokens (each session token is valid for 60 days) that will be used for querying TikTok’s servers.
  3. Bypass TikTok’s HTTP message signing mechanism using their own signing service, executed in the background.
  4. Chain it all together by modifying  HTTP requests, resign them and use various session tokens and device IDs to bypass TikTok’s protection mechanisms.

In-depth information on how the vulnerability could be exploited to steal TikTok users’ private info is available in Check Point’s report shared with BleepingComputer in advance.

Vulnerability now fixed

ByteDance addressed the TikTok vulnerability following Check Point’s responsible disclosure, blocking future attempts of circumventing the platform’s privacy safeguards and stealing users’ private data.

“An attacker with that degree of sensitive information could perform a range of malicious activities, such as spear phishing or other criminal actions,” Oded Vanunu, Head of Products Vulnerabilities Research said. “Our message to TikTok users is to share the bare minimum when it comes to your personal data.”

“The security and privacy of the TikTok community is our highest priority, and we appreciate the work of trusted partners like Check Point in identifying potential issues so that we can resolve them before they affect users,” a TikTok spokesperson said in a statement.

“We continue to strengthen our defenses, both by constantly upgrading our internal capabilities such as investing in automation defenses, and also by working with third parties.”

Previously patched vulnerabilities

In January 2020, TikTok addressed another batch of security vulnerabilities in its infrastructure disclosed by Check Point researchers in late November 2019 and allowing attackers to hijack accounts, manipulate users’ videos, and steal their info.

To exploit those vulnerabilities, attackers could abuse TikTok’s SMS system which made it possible to delete videos, make users’ private videos public, and steal their sensitive personal data.

TikTok also fixed two security bugs in November 2020 that could have enabled hackers to take over the accounts of users who signed-up via third-party apps with a single click.

Also Read: How a Smart Contract Audit Works and Why it is Important

In April 2020, TikTok has launched a private bug bounty program and a HackerOne Bug Bounty Program in October 2020 encouraging security researchers to responsibly disclose any security bugs they find in TikTok’s mobile and web apps.

0 Comments

Let us help you out.

Grab your free consultation NOW!

Privacy Ninja

Data Protection​

Cybersecurity

Support

Company

Locations

Singapore

7 Temasek Boulevard
#12-07, Suntec Tower One
Singapore 038987

Thailand

The Royal Place 1
2, 2/399 Mahatlek Luang 1 Alley, Lumphini, Pathum Wan, Bangkok 10330, Thailand



email-icon
Facebook Twitter Linkedin Youtube

KEEP IN TOUCH

Subscribe to our mailing list to get free tips on Data Protection and Data Privacy updates weekly!

Personal Data Protection

REPORTING DATA BREACH TO PDPC?

We have assisted numerous companies to prepare proper and accurate reports to PDPC to minimise financial penalties.
TALK TO US
×

Hello!

Click one of our contacts below to chat on WhatsApp

Social Chat is free, download and try it now here!

× Chat with us