Researchers have discovered a vulnerability in TikTok which could have allowed attackers to harvest users’ phone numbers and personal profile details.
Check Point revealed today that the flaw, which has now been fixed by the popular social network, was found in the app’s “Find Friends” feature.
The problem stems from the fact that TikTok allows users to sync their phone contacts with the app, thus connecting user profiles with phone numbers.
If exploited, the flaw could have allowed attackers to bypass the app’s HTTP message signing to login, and then sync contacts to discover the profiles of all the TikTok users in the victim’s phone book.
Worse still, the SMS log-in process from a mobile device involved TikTok servers generating a token and session cookies, but these did not expire for 60 days, meaning an attacker could use the same cookies to login for weeks.
Among the profile details exposed by the vulnerability are TikTok nickname, profile and avatar pictures, unique user IDs and settings including whether a user is a follower or if a user’s profile is hidden.
Check Point head of products vulnerabilities research, Oded Vanunu, said his team was curious to see if the TikTok platform could be used to gain access to private user data.
“We were able to bypass multiple protection mechanisms of TikTok, that led to privacy violation. The vulnerability could have allowed an attacker to build a database of user details and their respective phone numbers,” he explained.
“An attacker with that degree of sensitive information could perform a range of malicious activities, such as spear phishing or other criminal actions. Our message to TikTok users is to share the bare minimum, when it comes to your personal data, and to update your phone’s operating system and applications to the latest versions.”
A TikTok statement recognized the work of “trusted partners” like Check Point in making the platform safer for users.
“We continue to strengthen our defenses, both by constantly upgrading our internal capabilities such as investing in automation defenses, and also by working with third parties,” it added.