Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|
Advertisement

Ad Placeholder

Full Width × 90

Breaking News

TikTok privacy issue could have allowed stealing users’ private details

A vulnerability in the video-sharing social networking service TikTok could have allowed hackers to steal users’ private personal information. Developers at ByteDance, the company that owns TikTok, have fixed a security vulnerability in the popular video-sharing social networking service that could have allowed attackers to steal users’ private personal information. Check Point researchers found a vulnerability in Find Friends […]

tiktok

A vulnerability in the video-sharing social networking service TikTok could have allowed hackers to steal users’ private personal information.

Developers at ByteDance, the company that owns TikTok, have fixed a security vulnerability in the popular video-sharing social networking service that could have allowed attackers to steal users’ private personal information.

Check Point researchers found a vulnerability in Find Friends feature implemented by TikTok that could have allowed the attackers to bypass the service’s privacy protections allowing them to access users’ private personal data.

Profile data that could be accessible exploiting the vulnerability include a phone number, nickname, profile and avatar pictures, unique user IDs, along with certain profile settings.

“In the recent months, Check Point Research teams discovered a vulnerability within the TikTok mobile application’s friend finder feature. In the vulnerability described in this research an attacker can connect between profile details and phone numbers, while a successful exploitation can enable an attacker to build a database of users and their related phone numbers.” reads the analysis published by CheckPoint researchers. “If exploited, this vulnerability would have only impacted those users who have chosen to associate a phone number with their account (which is not required) or logged in with a phone number.”

Experts focused their activity on all actions related to users’ data and discovered that the mobile app enables contacts syncing. This means that a user can sync his contacts to easily find people he knows on TikTok and this is done by connecting profile details and phone numbers.

The syncing process is composed of 2 requests:

  1. Upload contacts
  2. Syncing contacts
tiktok

The experts provided a step by step exploitation procedure for this privacy issue:

  • Step 1 – Creating a List of Devices (Registering Physical Devices)
  • Step 2 – Creating a List of Never Expired Session Tokens
  • Step 3 – Bypassing TikTok’s HTTP Message Signing
  • Step 4 –Chaining It All Together to modify HTTP requests and re-sign them.

The experts were able to automate the process of uploading and syncing contacts on a large scale using a short Frida script that allowed them to build a database of users and their connected phone numbers.

The information exfiltrated by exploiting this privacy flaw could be used by attackers to conduct malicious activities, including scams and phishing campaigns.

Check Point helped ByteDance in identifying and addressing the issue.

If you want to receive the weekly Security Affairs Newsletter for free subscribe here.

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, TikTok)

[adrotate banner=”5″]

[adrotate banner=”13″]