Colin Mc Hugo

0 %
Colin Mc Hugo
Security Engineer Manager & CEO at Quantum Infinite Solutions Group Ltd.
  • Residence:
  • County:
  • Country:
Cyber Security Incident Response
Management & Architecture of Cyber Security Teams
Solutions & Coaching
  • Cyber Security Incident Response
  • Management & Architecture of Cyber Security Teams
  • Solutions
  • Training & Coaching

TikTok Bug Could Have Exposed Users’ Profile Data and Phone Numbers

January 28, 2021
tiktok security flaw

Cybersecurity researchers on Tuesday disclosed a now-patched safety flaw in TikTok that would have doubtlessly enabled an attacker to construct a database of the app’s customers and their related cellphone numbers for future malicious exercise.

Though this flaw solely impacts these customers who’ve linked a cellphone quantity with their account or logged in with a cellphone quantity, a profitable exploitation of the vulnerability may have resulted in knowledge leakage and privateness violation, Verify Level Analysis mentioned in an analysis shared with The Hacker Information.

TikTok has deployed a repair to handle the shortcoming following accountable disclosure from Verify Level researchers.

password auditor

The newly found bug resides in TikTok’s “Find friends” function that enables customers to sync their contacts with the service to establish potential individuals to comply with.

The contacts are uploaded to TikTok by way of an HTTP request within the type of a listing that consists of hashed contact names and the corresponding cellphone numbers.

The app, within the subsequent step, sends out a second HTTP request that retrieves the TikTok profiles linked to the cellphone numbers despatched within the earlier request. This response consists of profile names, cellphone numbers, images, and different profile associated info.

tiktok security flaw

Whereas the add and sync contact requests are restricted to 500 contacts per day, per consumer, and per machine, Verify Level researchers discovered a strategy to get across the limitation by getting maintain of the machine identifier, session cookies set by the server, a novel token referred to as “X-Tt-Token” that is set when logging into the account with SMS and simulate the entire course of from an emulator working Android 6.0.1.

It is price noting that with a view to request knowledge from the TikTok software server, the HTTP requests should embrace X-Gorgon and X-Khronos headers for server verification, which ensures that the messages are usually not tampered with.

However by modifying the HTTP requests — the variety of contacts the attacker desires to sync — and re-signing them with an up to date message signature, the flaw made it potential to automate the process of importing and syncing contacts on a big scale and create a database of linked accounts and their linked cellphone numbers.

That is removed from the primary time the favored video-sharing app has been discovered to include safety weaknesses.

In January 2020, Verify Level researchers discovered a number of vulnerabilities throughout the TikTok app that would have been exploited to pay money for consumer accounts and manipulate their content material, together with deleting movies, importing unauthorized movies, making personal “hidden” movies public, and revealing private info saved on the account.

Then in April, safety researchers Talal Haj Bakry and Tommy Mysk exposed flaws in TikTok that made it potential for attackers to show solid movies, together with these from verified accounts, by redirecting the app to a faux server internet hosting a group of faux movies.

Ultimately, TikTok launched a bug bounty partnership with HackerOne final October to assist customers or safety professionals flag technical considerations with the platform. Vital vulnerabilities (CVSS rating 9 – 10) are eligible for payouts between $6,900 to $14,800, in response to this system.

“Our main motivation, this time round, was to discover the privateness of TikTok,” mentioned Oded Vanunu, head of merchandise vulnerabilities analysis at Verify Level. “We have been curious if the TikTok platform could possibly be used to achieve personal consumer knowledge. It seems that the reply was sure, as we have been capable of bypass a number of safety mechanisms of TikTok that result in privateness violation.”

“An attacker with that diploma of delicate info may carry out a spread of malicious actions, resembling spear phishing or different legal actions.”

Posted in SecurityTags:
Write a comment