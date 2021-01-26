Infosecurity Group Websites
Latest
News

TikTok Bug Gave Access to Contacts’ Profile Details

Researchers have discovered a vulnerability in TikTok which could have allowed attackers to harvest users’ phone numbers and personal profile details.

Check Point revealed today that the flaw, which has now been fixed by the popular social network, was found in the app’s “Find Friends” feature.

The problem stems from the fact that TikTok allows users to sync their phone contacts with the app, thus connecting user profiles with phone numbers.

If exploited, the flaw could have allowed attackers to bypass the app’s HTTP message signing to login, and then sync contacts to discover the profiles of all the TikTok users in the victim’s phone book.

Worse still, the SMS log-in process from a mobile device involved TikTok servers generating a token and session cookies, but these did not expire for 60 days, meaning an attacker could use the same cookies to login for weeks.

Among the profile details exposed by the vulnerability are TikTok nickname, profile and avatar pictures, unique user IDs and settings including whether a user is a follower or if a user’s profile is hidden.

Check Point head of products vulnerabilities research, Oded Vanunu, said his team was curious to see if the TikTok platform could be used to gain access to private user data. 

“We were able to bypass multiple protection mechanisms of TikTok, that led to privacy violation. The vulnerability could have allowed an attacker to build a database of user details and their respective phone numbers,” he explained.

“An attacker with that degree of sensitive information could perform a range of malicious activities, such as spear phishing or other criminal actions. Our message to TikTok users is to share the bare minimum, when it comes to your personal data, and to update your phone’s operating system and applications to the latest versions.”

A TikTok statement recognized the work of “trusted partners” like Check Point in making the platform safer for users.

“We continue to strengthen our defenses, both by constantly upgrading our internal capabilities such as investing in automation defenses, and also by working with third parties,” it added.

Related to This Story

What’s Hot on Infosecurity Magazine?

1
News

Deloitte Acquires Root9B

2
News

Trump Sex Scandal Video Is a RAT

3
News

Russian Government Agency Warns Firms of US Attack

4
News

SonicWall Probes Attack Using Zero-Days in Own Products

5
News

Intel: Earnings Leak Down to Internal Error

6
News Feature

The End of Adobe Flash: What Will Post-Support Life Look Like?

1
News

Syntax Releases First IT Trends Report

2
News

Hacker Admits Targeting Major US Websites

3
News

Twitter Asks Users to Police Misinformation

4
News

Dr Gary McGraw Appointed to IriusRisk Threat Modeling Technical Advisory Board

5
Opinion

A CISO’s 2021 Cybersecurity Wishlist

6
News

Mastercard Introduces Quantum-Resistant Specs to Enhance Contactless Security

1
Webinar

Fulfilling Network Security Requirements and Business Needs

2
Webinar

FTP, FTPS & SFTP: Which Protocol Should You Use, and When?

3
Webinar

2021: The Year Zero Trust Overtakes VPN?

4
Webinar

How to Secure the Most Vital Data Channel in Your Organization: File Transfers

5
Webinar

The Top Five Security Metrics

6
Webinar

Becoming a Next-Gen CISO: Leading from the Front

1
News Feature

The Growing Threat of #COVID19 Vaccine Phishing Scams

2
Blog

Taking the First Steps Toward Self-Repairing Endpoints

3
Opinion

Privacy Post-COVID: Predictions for 2021

4
Opinion

#HowTo: Build a Business Case for Cybersecurity Investment

5
Webinar

2021: The Year Zero Trust Overtakes VPN?