TikTok is one of the most popular short-video sharing social media app that has millions of users worldwide. But you will be surprised to know that a recent vulnerability left users’ private data exposed to the attackers.
Notably, as per a report by CNET, security researchers at Check Point Research discovered a flaw in the TikTok app, which, if left unpatched, would enable an attacker to access users’ phone number and profile settings.
The TikTok profile settings include the TikTok nickname, profile, and profile pictures. Moreover, it also consists of unique user IDs, along with sensitive and private information such as whether a user is a follower or if a user’s profile is hidden.
Apparently, all this private information, when clubbed together, can be used by an attacker to build a database of TikTok users for malicious activity.
Check Point spokesperson Ekram Ahmed said in a statement that their main aim for conducting this security research on TikTok was to explore the privacy of the app.
They performed the security check to know whether the app can be used to access private user data. And to their surprise, a flaw in TikTok app, lead them to what they were aiming for.
The flaw or vulnerability was found on the TikTok app’s “Find Friends” feature
As per the spokesperson of Check Point Research, the flaw was found on the TikTok app’s “Find Friends” feature. TikTok’s Find Friends feature synchronizes user contacts to connect with them on TikTok.
Security researchers were able to bypass multiple protection mechanisms, which ultimately lead to privacy violation.
Researchers have also explained the process of discovering this flaw in the TikTok app. Each time, a user launches the TikTok app, it asks for device registration, just to make sure that the user isn’t switching between devices.
Right at the mobile SMS login process, TikTok servers generate a token and session cookies, to validate the registration. Note that the session cookies and token values expire after 60 days. This also means that anyone could use the same cookies to log in for weeks.
An attacker can easily manipulate the sign-in process by bypassing TikTok’s HTTP SMS signing. Good thing is that Check Point Research has already shared its findings with ByteDance, the parent of the TikTok app.
And a new update is already live for TikTok users, which we recommend to straightaway install on your devices. Oded Vanunu, head of products vulnerabilities research at Check Point advised users to share bare minimum personal data. He further said to keep the app up to date, to avoid such mishaps.