TikTok started a bug bounty program after discovering various vulnerabilities in its application. This effort seems to be working well, as TikTok recently fixed a serious flaw discovered by security company Check Point Research. The vulnerability would allow hackers to use the app's "Friend Finder" feature to steal various details from users' profiles and phone numbers and then create a database of information that could be used for malicious attacks. .
Check Point investigators noticed a flaw in the way TikTok's servers confirmed that Friend Finder requests came from legitimate phones. Using a unique device ID for each user phone, the application generates one user token and one session cookie. However, the team found that the cookies were valid for about 60 days, allowing them to be used in virtual devices instead of cell phones.
The vulnerability could allow a hacker to create a database with user data and their corresponding phone numbers. A hacker with this level of sensitive information could perform a number of malicious activities, such as phishing campaigns or other criminal acts. Researchers' message to TikTok users is that they should share as little as possible information by their personal data. They also need to update their operating system and applications to the latest versions.
Using some hacking tools, they could bypass TikTok's "HTTP message signing", change the function to gain contacts, and sign the request again. Because it all happened in one virtual device, the process could automated. This allowed researchers to create a database with "phone numbers, aliases, unique user IDs and settings, such as if a user is a follower or if one's profile user is private, "according to Check Point.
Η Check Point said he had discovered the vulnerability in recent months. "Check Point Research has informed our developers and security teams about this issue and responsibly developed a solution to ensured "Users can safely continue to use the TikTok application," the company said.
Source of information: engadget.com