Researchers from cybersecurity firm Check Point Research discovered a vulnerability in the popular video-sharing platform TikTok that allowed threat actors to steal users' private data. The flaw, which has since been fixed, raises questions about how much data users can safely share with mobile apps. The security vulnerability was identified in TikTok's "Find Friends" feature and allowed attackers to access certain user profile details, including their phone number, TikTok nickname, profile and avatar photos, their unique IDs, and certain profile settings.
Be careful what you share
Detailing the methodology used to exploit the vulnerability, Check Point explained that TikTok uses contact sync to help people find other users they might know. However, it was found that attackers could manipulate the login process, allowing them to download and sync contacts on a large scale, allowing them to create a database of users and phone numbers that can be used for attacks. later. After becoming aware of the vulnerability, TikTok developer ByteDance quickly released a patch, making the app safe again. "Our main motivation was to explore the privacy of TikTok," said Oded Vanunu, product vulnerability research lead at Check Point. “We were curious to see if the TikTok platform could be used to access private user data. We were able to circumvent several TikTok protection mechanisms that led to a privacy breach. The vulnerability could have allowed an attacker to create a database containing user details and their respective phone numbers. An attacker with this level of sensitive information could carry out a variety of malicious activities, such as spear phishing or other criminal actions. " However, this is not the first time a security breach has been detected affecting TikTok. A year ago, Check Point published a research paper on another set of vulnerabilities. Ultimately, the best practice for developers to follow users, with any application, is to share as little information as possible.