In recent months, Check Point Research teams discovered a vulnerability within the TikTok mobile application’s friend finder feature: a vulnerability that if exploited would have enabled an attacker to access users’ profile details and the phone numbers associated with their accounts. This would enable the attacker to build a database of users and their related phone numbers, which could then be used for malicious activity.
Check Point Research informed TikTok’s developers and security teams about this issue. A solution was responsibly deployed by TikTok to ensure its users can safely continue using the app.
In January 2020, Check Point Research published a paper on TikTok, reporting a vulnerability that could have allowed threat actor to access personal information saved in users’ accounts, to manipulate users’ account details or take actions on behalf of a user without their consent. A solution was responsibly deployed by TikTok to address that issue.
In April 2020, TikTok launched a private bug bounty program which grew into a global public partnership with HackerOne in October 2020 and encourages security researchers to find and responsibly disclose security bugs so that the TikTok teams can resolve them before attackers exploit them.
“In recent months, Check Point Research teams discovered a vulnerability within the TikTok mobile application’s friend finder feature.”
The publication came in the midst of a series of reports that placed TikTok’s security and privacy in a global spotlight. Trump administration officials warned that they were considering banning the App, suggesting a possible executive order addressing the threat posed by TikTok. All of this served as a primary motivation behind our current research.
As a reference point for our investigation, Check Point Research followed closely a 2019 report about Instagram, which confirmed security issues that exposed users’ account details and phone numbers to threat actors.
Privacy at stake
As our main purpose was to examine the privacy of TikTok, we focused on all actions in the app which relate to users’ data. We found the app enabled contacts syncing, meaning that a user can sync their phone contacts to easily find people they may know on TikTok. In simple terms, this makes it possible to connect users’ profile details to their phone numbers. If exploited, this vulnerability would have only impacted those users who have chosen to associate a phone number with their account which is not required or logged in with a phone number.
“TikTok has been reported to be adding 100 Million users monthly, and has surpassed 2 Billion downloads globally.”
With those phone numbers and profile details, attackers could potentially access further information related to users, obtained outside of TikTok such as searching for other accounts or data available.
We followed a 3-step process to deep dive into the actions we were exploring:
Step 1: Creating a list of devices, each time it is launched, the TikTok app performs a process of device registration to make sure that users are not switching between devices.
Step 2: Creating a list of session tokens which do not expire for 60 days. During the SMS login process from a mobile device, TikTok servers validate the data by generating a token and session cookies. During our research, we found that the session cookies and the token values, expire after 60 days which meant that we could use the same cookies to login for weeks.
Step 3: Bypassing TikTok’s HTTP message signing. The key research question we asked was: can a single user query TikTok’s database and cause a privacy violation? The answer was yes. We found that a threat actor can successfully manipulate the sign-in process by bypassing TikTok’s HTTP message signing, thereby automating the process of uploading and syncing contacts at scale, which would eventually build a database of users and their connected phone numbers for the threat actor to potentially target.
TikTok has been reported to be adding 100 Million users monthly, and has surpassed 2 Billion downloads globally, meaning it has nearly tripled in size since 2018. In 2021, mobile data and analytics firm App Annie expects TikTok to not only join the 1 Billion monthly active user, MAU, club alongside Facebook, Instagram, Messenger, WhatsApp, YouTube and WeChat; it also predicts TikTok will sail past the 1 Billion MAU milestone to reach 1.2 Billion average monthly active users.
These incredible figures, along with ongoing reports of security and privacy matters concerning the app and its usage, led us to conduct this privacy-related research.
Oded Vanunu of Check Point’s advise to TikTok users is to share the bare minimum, when it comes to personal data and update OS and applications to the latest versions.