Cybersecurity experts have revealed a recently patched vulnerability within TikTok that could have compromised the personal data of users associated with phone numbers linked to their accounts. This security issue, identified by Check Point Research, raised significant concerns regarding possible data harvesting for malicious purposes.
The vulnerability targeted users who either registered with a phone number or linked their existing number to their TikTok account. Exploiters could have leveraged this flaw to amass a database containing sensitive user information, leading to potential breaches of privacy and data leakage, as detailed in a report shared with The Hacker News.
In response to the issue, TikTok implemented a prompt fix following the responsible disclosure from Check Point researchers. The flaw was found in TikTok’s “Find Friends” feature, which allows users to sync their contacts to discover additional accounts to follow. Data uploads were done via HTTP requests, consisting of hashed contact names paired with their corresponding phone numbers.
Subsequently, TikTok’s servers would send an additional HTTP request to retrieve relevant profiles linked to the submitted phone numbers. The response included key identifiers such as profile names, phone numbers, and shared media, escalating the risk of data misuse.
While the contact upload functionality is restricted to 500 contacts per day per account, Check Point researchers discovered that the security boundaries could be circumvented using various techniques. By capturing device identifiers, session cookies, and a specific token referred to as “X-Tt-Token,” attackers could mimic this process from an emulator operating on Android version 6.0.1.
To successfully make requests from TikTok’s server, the HTTP communications were required to incorporate X-Gorgon and X-Khronos headers for verification purposes. However, the researchers noted that by altering the requests—including the number of contacts to sync—and re-signing them with updated signatures, attackers could automate the contact upload process, thereby aggregating a comprehensive database of user profiles linked to their phone numbers.
This incident is not isolated in the broader context of TikTok’s security posture. Previous vulnerabilities have drawn attention to the application, notably those identified by Check Point in January 2020, which risked unauthorized access to user accounts and facilitated unauthorized content manipulation. Subsequent discoveries highlighted methods for displaying fraudulent videos through compromised server connections.
In October, TikTok partnered with HackerOne to establish a bug bounty program aimed at encouraging security researchers and users to report vulnerabilities within the platform. The initiative offers substantial rewards for critical vulnerabilities, reinforcing the platform’s commitment to enhancing user security.
As summarized by Oded Vanunu, head of product vulnerability research at Check Point, the core objective of this investigation was to scrutinize TikTok’s privacy mechanisms. The findings revealed significant gaps, indicating the capability of attackers to conduct an array of harmful actions, including targeted phishing attacks.
