A security flaw inside TikTok Find Friends feature may have allowed unauthorized access to user data. The short-video social media platform has now fixed security vulnerability. But the bug allowed the creation of a large database of usernames and associated phone numbers.
Using an inherent loophole inside TikTok’s Find Friends feature, an attacker was allowed to build a database of the app’s users and their linked phone numbers. The flaw primarily impacted those TikTok users who have linked a phone number or logged in with a phone number.
How did the TikTok Find Friends feature allowed building a large, illegal database of usernames and linked phone numbers?
The newly discovered (and now fixed) bug existed in TikTok’s “Find friends” feature. The feature allows users to sync their contacts with the service to identify potential people to follow.
TikTok relies on a simple HTTP request in the form of a list. When users send a request it consists of hashed contact names and the corresponding phone numbers.
The TikTok app sends out a second HTTP request that retrieves the TikTok profiles connected to the phone numbers. This response includes profile names, phone numbers, photos, and other profile related information.
There are safeguards in place to prevent users from abusing the TikTok Find Friends feature to build a large database. However, the bug allowed malicious code writers to circumvent the restrictions.
@HackRead
"This would enable the attacker to build a database of users and their related phone numbers." (Reports @WAK4S)#Security #TikTok #Vulnerability #Privacy #InfoSec https://t.co/St36x5e05H— Lorenzo H. Gómez (@lgomezperu) January 26, 2021
Ordinary TikTok users are limited to 500 contacts per day, per user, and per device. However, cybersecurity researchers discovered a way to bypass the restrictions. Using manipulated HTTP requests, they could run around-the-clock operations.
Researchers at Check Point Research issued a report that reveals how easy it was to build and conduct a ‘scraping’ or data mining attack. They merely needed a device identifier, session cookies set by the server, and a unique token called “X-Tt-Token” that’s set when logging into the account with SMS.
By merely modifying the HTTP requests for the number of contacts the attacker wants to sync, and re-signing them with an updated message signature, the flaw made it possible to automate the procedure.
TikTok riddled with security loopholes and vulnerabilities but trying to fix them with a ‘Bug Bounty’ program:
Check Point researchers have discovered multiple vulnerabilities within the TikTok app. In fact, the cybersecurity research company has cautioned about TikTok’s poorly implemented digital defenses since January 2020.
Some of the bugs inside the platform allowed attackers to get hold of user accounts and manipulate their content, including deleting videos, uploading unauthorized videos, making private “hidden” videos public, and revealing personal information saved on the account.
The platform was even vulnerable to redirection attacks. Simply put, attackers could display forged videos, including those from verified accounts. They merely redirected the app to a fake server hosting a collection of fake videos.
CNET: TikTok vulnerability left users' private information exposed – https://t.co/YQ0ZDaaY2C #security #privacy #TikTok
— Tara Calishain (@ResearchBuzz) January 26, 2021
Researchers are now warning social media users to share the bare minimum information. Users should not openly share personal or identifiable data. Incidentally, it was only in this month and year that TikTok has tightened its privacy policies for users under 18.
Apart from default privacy settings, TikTok also has a Bug Bounty program that rewards security researchers for finding faults, loopholes, and bugs in the platform. Additionally, it has a tool called “family pairing,” which lets parents link their TikTok account to their teenager’s accounts.