Security vulnerabilities found in the Chinese short video sharing app, TikTok, allowed attackers to bypass the platform’s privacy settings and thereby access personal and confidential user data.
The vulnerabilities were found by researchers at Israeli information security developer Check Point in December 2019 and fixed now in late January.
According to the researchers, the vulnerabilities were found in the find friends tool (“Find Friends”, inside the app) and explored case could reveal phone numbers of users who verified the phone number (which is not mandatory); user name; images, settings and profile data; in addition to the lists of followers and users that the user is following.
“Check Point Research teams discovered a vulnerability in the friend finder feature of the TikTok mobile app […] Successful exploitation allowed an attacker create a database of users and their related phone numbers”, Write the researchers in a report published on Tuesday (26).
The researchers explain that in order to carry out such an attack, cybercriminals should create a list of victims, with user IDs, create a list of session tokens, bypass TikTok’s HTTP message signature mechanism, and modify HTTP requests.
ByteDance, the company responsible for TikTok informs that the vulnerability is fixed and that the company is working to ensure the privacy of its users’ data.
“The security and privacy of the TikTok community is our highest priority, and we appreciate the work of trusted partners such as Check Point in identifying possible problems so that we can resolve them before they affect users,” the company said in a statement.
The head of product vulnerability research, Oded Vanunu, told Bleeping Computer that this vulnerability is especially dangerous, as a cybercriminal with this level of information can carry out a series of malicious attacks. “Our message to TikTok users is to share as little as possible when it comes to your personal data”.
“We continue to strengthen our defenses, constantly updating our internal capabilities, such as investing in automation defenses, and also working with third parties,” concludes the ByteDance spokesman.
Sources: Check Point Research; Bleeping Computer.
See the original post at: https://thehack.com.br/tiktok-corrige-vulnerabilidade-de-seguranca-que-expos-dados-privados-de-usuarios/?rand=48873
