The vulnerability could have allowed an attacker to create a database containing the details of users and their respective phone numbers. An attacker with this level of sensitive information could perform a range of malicious activities, such as spear phishing or other criminal actions. Our message to TikTok users is to share the bare minimum when it comes to your personal data. Update your operating system and applications to the latest versions.
By using some hacking tools, they could bypass TikTok’s HTTP message signing, change the function to acquire contacts, and sign the request again. Because all of this was done in a virtual device, the process could be automated. This allows researchers to create a database of “phone numbers, nicknames, profile and avatar photos, unique user IDs, and settings such as whether a user is a subscriber or whether a user’s profile is hidden.” , according to Check Point.
A previous Facebook flaw provides a good example of how such an exploit can be used. Cybercriminals were able to retrieve numerous phone numbers entered by Facebook users that were supposed to be private and built up a database of up to 500 million users. They then created a Telegram bot that would reveal the numbers to anyone willing to pay, according to Motherboard.
Check Point said it discovered the vulnerability – the second it found last year – in recent months. “Check Point Research has informed developers and TikTok security teams of this issue and a solution has been responsibly deployed to ensure that its users can continue to use the TikTok app safely,” the company said.
While the threat of a impending ban disappeared with the Trump administration, TikTok will no doubt remain on watch given that parent company ByteDance is located in China. As such, it has a vested interest in keeping the app safe and encouraging others to explore it. “We continue to strengthen our defenses, both by constantly improving our internal capabilities such as investing in automation defenses, and also by working with third parties,” a spokesperson for TikTok said in a statement.