Vulnerability that enables TikTok to steal user's personal information, developer immediately fixes



It has been revealed that the short movie platform TikTok contains a vulnerability that allows the user's personal information to be stolen. ByteDance, the developer, detected this vulnerability and immediately fixed it.

TikTok fixes privacy issue discovered by Check Point Research --Check Point Software

https://blog.checkpoint.com/2021/01/26/tiktok-fixes-privacy-issue-discovered-by-check-point-research/

TikTok fixes flaws allowing theft of private user information
https://www.bleepingcomputer.com/news/security/tiktok-fixes-flaws-allowing-theft-of-private-user-information/

TikTok Flaw Lay Bare Phone Numbers, User IDs For Phishing Attacks | Threatpost
https://threatpost.com/tiktok-flaw-phishing-attacks/163322/

TikTok has a server for each service area, and from here it delivers a short movie of about 3 to 60 seconds to the user's app. TikTok has been installed more than 1 billion times on Google Play, the official store of Android apps, and according to research company data , the total number of installations on all mobile platforms has exceeded 2 billion times. I am.

Check Point , a security company, pointed out that TikTok has a vulnerability that makes it possible to steal user's personal information. According to Check Point, TikTok's 'Find Friends' feature for finding friends contains a vulnerability that allows access to personal information such as phone numbers and user IDs while bypassing the privacy protection of the platform. ..



'Find Friends' is a feature that allows you to find your acquaintance's TikTok account through your contacts and Facebook. To help users find their acquaintance's account from their contacts, TikTok associates user profile details with phone numbers. By exploiting the vulnerability found in this 'Find Friends', an attacker can steal the user's personal information.

To exploit the Find Friends vulnerability, first create a list of 'device IDs' and 'session tokens' used to query TikTok's servers. It then bypasses TikTok's HTTP message signing mechanism with its own signature service running in the background. Finally, by changing and re-signing the HTTP request, it will be possible to bypass the privacy protection mechanism using various session tokens and device IDs.

Check Point said, 'This vulnerability could allow an attacker to build a database with user details and phone numbers. Also, an attacker who gained such sensitive information could use spear phishing or other information. It is possible to carry out a variety of malicious activities, such as criminal activity in Japan, 'he warned.



In response to Check Point's indication, the developer ByteDance quickly fixed the vulnerability. In addition, a TikTok spokeswoman said, 'Protecting the security and privacy of the TikTok community is our number one priority. Check to help identify potential problems and resolve them before they impact users. We only appreciate the cooperation of trusted partners such as Point. We continue to enhance security by upgrading internal features such as investing in automation and working with third parties. '

in Mobile,   Software,   Security, Posted by logu_ii