In recent months, Check Point Research teams discovered a vulnerability within the TikTok mobile application’s friend finder feature: a vulnerability that if exploited would have enabled an attacker to access users’ profile details and the phone numbers associated with their accounts. This would enable the attacker to build a database of users and their related phone numbers, which could then be used for malicious activity.
Check Point Research informed TikTok’s developers and security teams about this issue. A solution was responsibly deployed by TikTok to ensure its users can safely continue using the app.
In January 2020, Check Point Research published a paper on TikTok, reporting a vulnerability that could have allowed threat actor to access personal information saved in users’ accounts, to manipulate users’ account details or take actions on behalf of a user without their consent. A solution was responsibly deployed by TikTok to address that issue. In April 2020, TikTok launched a private bug bounty program which grew into a global public partnership with HackerOne in October 2020 and encourages security researchers to find and responsibly disclose security bugs so that the TikTok teams can resolve them before attackers exploit them.
The publication came in the midst of a series of reports that placed TikTok’s security and privacy in a global spotlight. Trump administration officials warned that they were considering banning the App, suggesting a possible executive order addressing “the threat posed by TikTok.” All of this served as a primary motivation behind our current research.
As a reference point for our investigation, Check Point Research followed closely a 2019 report about Instagram, which confirmed security issues that exposed users’ account details and phone numbers to threat actors.
TikTok users’ privacy at stake
As our main purpose was to examine the privacy of TikTok, we focused on all actions in the app which relate to users’ data. We found the app enabled contacts syncing, meaning that a user can sync their phone contacts to easily find people they may know on TikTok. In simple terms, this makes it possible to connect users’ profile details to their phone numbers. If exploited, this vulnerability would have only impacted those users who have chosen to associate a phone number with their account (which is not required) or logged in with a phone number.
With those phone numbers and profile details, attackers could potentially access further information related to users, obtained outside of TikTok such as searching for other accounts or data available.
We followed a 3-step process to deep-dive into the actions we were exploring:
Step I – Creating a List of Devices (Registering Physical Devices) – each time it is launched, the TikTok app performs a process of device registration to make sure that users are not switching between devices.
Step II – Creating a list of session tokens which do not expire for 60 days– during the SMS login process from a mobile device, TikTok servers validate the data by generating a token and session cookies. During our research, we found that the session cookies and the token values, expire after 60 days which meant that we could use the same cookies to login for weeks.
Step III – Bypassing TikTok’s HTTP Message Signing – the key research question we asked was: can a single user query TikTok’s database and cause a privacy violation? The answer was yes: we found that a threat actor can successfully manipulate the sign-in process by bypassing TikTok’s HTTP Message signing (link to research on CPR), thereby automating the process of uploading and syncing contacts at scale, which would eventually build a database of users and their connected phone numbers for the threat actor to potentially target.
TikTok has been reported to be adding 100M users monthly, and has surpassed 2 billion downloads globally, meaning it has nearly tripled in size since 2018. In 2021, mobile data and analytics firm App Annie expects TikTok to not only join the 1 billion monthly active user (MAU) club alongside Facebook, Instagram, Messenger, WhatsApp, YouTube and WeChat; it also predicts TikTok will sail past the 1 billion MAU milestone to reach 1.2 billion average monthly active users.
These incredible figures, along with ongoing reports of security and privacy matters concerning the App and its usage, led us to conduct this privacy-related research.
We were delighted to join forces with the TikTok team in working to fix these issues, enabling users to enjoy a fun and safe experience.
For the full technical details of this research go to: https://research.checkpoint.com/