The vulnerability could have allowed an attacker to build a database of user details and their respective phone numbers. An attacker with that degree of sensitive information could perform a range of malicious activities, such as spear phishing or other criminal actions. Our message to TikTok users is to share the bare minimum when it comes to your personal data. Update your OS and applications to the latest versions.
Using some hacking tools, they could bypass TikTok’s HTTP message signing, change the function to acquire contacts and re-sign the request. Because all this was done in a virtual device, the process could be automated. That let researchers build a database of user “phone numbers, nicknames, profile and avatar pictures, unique user IDs and settings such as whether a user is a follower or if a user’s profile is hidden,” according to Check Point.
A previous Facebook flaw provides a good example of how such an exploit can be used. Cybercriminals were able to scrape numerous phone numbers entered by Facebook users that were meant to be private and built up a database of up to 500 million users. They then created a Telegram bot that would reveal the numbers to anyone willing to pay, according to Motherboard.
Check Point said that it discovered the vulnerability — the second it has found in the last year — over the past few months. “Check Point Research informed TikTok developers and security teams about this issue and a solution was responsibly deployed to ensure its users can safely continue using the TikTok app,” the company said.
While the threat of an imminent ban has disappeared along with the Trump administration, TikTok will no doubt remain under scrutiny given that parent ByteDance is located in China. As such, it has a vested interest in keeping the app safe and encouraging others to probe it. “We continue to strengthen our defenses, both by constantly upgrading our internal capabilities such as investing in automation defenses, and also by working with third parties,” a TikTok spokesperson said in a statement.