TikTok Bug Could Have Exposed Users Profile Data and Phone Numbers

Cybersecurity researchers on Tuesday disclosed a now-patched security flaw in TikTok that could have potentially enabled an attacker to build a database of the app's users and their associated phone numbers for future malicious activity.

Although this flaw only impacts those users who have linked a phone number with their account or logged in with a phone number, successful exploitation of the vulnerability could have resulted in data leakage and privacy violation, Check Point Research said in an analysis shared with The Hacker News.

TikTok has deployed a fix to address the shortcoming following responsible disclosure from Check Point researchers.

The newly discovered bug resides in TikTok's "Find friends" feature that allows users to sync their contacts with the service to identify potential people to follow.

The contacts are uploaded to TikTok via an HTTP request in the form of a list that consists of hashed contact names and the corresponding phone numbers.

The app, in the next step, sends out a second HTTP request that retrieves the TikTok profiles connected to the phone numbers sent in the previous request. This response includes profile names, phone numbers, photos, and other profile related information.

While the upload and sync contact requests are limited to 500 contacts per day, per user, and per device, Check Point researchers found a way to get around the limitation by getting hold of the device identifier, session cookies set by the server, a unique token called "X-Tt-Token" that's set when logging into the account with SMS and simulate the whole process from an emulator running Android 6.0.1.

It's worth noting that in order to request data from the TikTok application server, the HTTP requests must include X-Gorgon and X-Khronos headers for server verification, which ensures that the messages are not tampered with.

But by modifying the HTTP requests — the number of contacts the attacker wants to sync — and re-signing them with an updated message signature, the flaw made it possible to automate the procedure of uploading and syncing contacts on a large scale and create a database of linked accounts and their connected phone numbers.

This is far from the first time the popular video-sharing app has been found to contain security weaknesses.