The vulnerability existed in TikTok’s “Find Friends” feature that lets users sync their phone contacts with the app and connect profiles with their phone numbers.
TikTok has more than 1 billion users worldwide making it a lucrative target for cybercriminals. Any vulnerability in the platform, if exploited, can be disastrous for its unsuspected and young userbase.
Last year, a TikTok vulnerability allowed hackers to send SMS loaded with malware. Now, the IT security researchers at Checkpoint have reported a critical vulnerability in TikTok’s mobile app that would allow attackers to extract the personal details of users including their phone number associated with the account.
Additionally, attackers could also access the victim’s unique ID, profile picture, and name. If attackers are aware of your phone number along with personal details they can use them for malicious purposes including SMSishing attacks or carry out sim swapping attacks.
The vulnerability which has now been fixed by TikTok existed in its “Find Friends” feature that lets users sync their phone contacts with the app and connect profiles with their phone numbers. It is however worth noting that it is not mandatory for users on TikTok to connect their phone numbers with the account.
Furthermore, TikTok generates token and session cookies during the SMS login process which expires only after 60 days. The vulnerability allowed an attacker to use token and session cookies to log into the victim’s account for over 2 months without raising any suspicion.
Simply put: As Checkpoint researchers describe in a blog post, the vulnerability would allow attackers to “build a database of users and their related phone numbers, which could then be used for malicious activity.”
“We were able to bypass multiple protection mechanisms of TikTok, which led to privacy violation. The vulnerability could have allowed an attacker to build a database of user details and their respective phone numbers,” said reserchers.
“An attacker with that degree of sensitive information could perform a range of malicious activities, such as spear phishing or other criminal actions. Our message to TikTok users is to share the bare minimum, when it comes to your personal data, and to update your phone’s operating system and applications to the latest versions.”
The good news is that the vulnerability was reported to TikTok who fixed the issue without further delay. Therefore, if you are on TikTok, you are safe from becoming a victim of this exploit however, to keep it that way make sure you have downloaded the app from its official website or Google Play Store for Android devices and App Store for iOS devices.