A recently discovered security flaw in TikTok that could potentially enable a hacker to build the application‘s user profile database along with their account associated phone numbers has been disclosed by cybersecurity researchers. The collected data may be utilized in future malicious campaigns and activities.
This flaw can only impact TikTok accounts linked to a phone number with a logged-in account via the number. Exploiting this successfully could result in leakage of data and privacy violations. The good news is that TikTok addresses the vulnerability after the disclosure from white-hat cybersecurity researchers.
The discovered exploitable bug resides in the “Find friends“ section of the app that can allow users to sync their phone‘s contact with the service to identify people to follow.
Within TikTok, the phone contacts are uploaded via an HTTP request in a list form that consists of hashed contact names and the saved phone numbers. Once confirmed and synced, the app will send out another HTTP request that looks for existing TikTok profiles linked to the contact‘s phone number, including profile accounts, phone number and other profile data.
To request data from the TikTok app server, the HTTP requests must include the X-Khornos and X-Gorgon headers as server verification to ensure that the message requests are not yet tampered. A threat actor can modify the HTTP requests, which is the number of contacts he wants to sync and reassign them together with an updated message signature.
The bug enables the automation of uploading and syncing contact profiles on a larger scale to create a linked TikTok accounts database and their associated phone numbers.
The popular video clip sharing app has a history of security weakness. In January 2020, cybersecurity researchers discovered multiple flaws and vulnerabilities that might have been exploited to hijack user accounts and manipulate the account‘s content.
In April 2020, cybersecurity experts Talal Haj Bakry and Tommy Mysk disclosed bugs that enable an attacker to display fake videos by redirecting the application to a phony server host that stores the fake videos collection.
TikTok then launched a bug bounty partnership with HackerOne last October 2020 to get assistance on user security and flag technical security concerns around the platform.