TikTok patched an exploit that could've let attackers steal user phone numbers

The bug was discovered by Check Point Research in TikTok's "Friend Finder" feature.

Earlier this year, TikTok launched a bug bounty program after the discovery of vulnerabilities and threats of a ban by the former Trump administration. That effort appears to have paid dividends, as it recently fixed a serious flaw discovered by the security firm Check Point Research. The vulnerability would have allowed attackers to use the app’s “Friend Finder” feature to steal users’ profile details and phone numbers, then build a database of information that could be used for malicious attacks.

Check Point researchers developed an exploit after noticing a flaw in the way TikTok’s servers confirmed that Friend Finder requests were coming from legitimate phones. Using a unique device ID for each user’s phone, the app creates a user token and session cookie. However, the team found that the cookies were valid for up to 60 days, allowing them to be used in virtual devices instead of physical phones.

The vulnerability could have allowed an attacker to build a database of user details and their respective phone numbers. An attacker with that degree of sensitive information could perform a range of malicious activities, such as spear phishing or other criminal actions. Our message to TikTok users is to share the bare minimum when it comes to your personal data. Update your OS and applications to the latest versions.

Using some hacking tools, they could bypass TikTok’s HTTP message signing, change the function to acquire contacts and re-sign the request. Because all this was done in a virtual device, the process could be automated. That let researchers build a database of user “phone numbers, nicknames, profile and avatar pictures, unique user IDs and settings such as whether a user is a follower or if a user’s profile is hidden,” according to Check Point.

A previous Facebook flaw provides a good example of how such an exploit can be used. Cybercriminals were able to scrape numerous phone numbers entered by Facebook users that were meant to be private and built up a database of up to 500 million users. They then created a Telegram bot that would reveal the numbers to anyone willing to pay, according to Motherboard.

Check Point said that it discovered the vulnerability — the second it has found in the last year — over the past few months. “Check Point Research informed TikTok developers and security teams about this issue and a solution was responsibly deployed to ensure its users can safely continue using the TikTok app,” the company said.

While the threat of an imminent ban has disappeared along with the Trump administration, TikTok will no doubt remain under scrutiny given that parent ByteDance is located in China. As such, it has a vested interest in keeping the app safe and encouraging others to probe it. “We continue to strengthen our defenses, both by constantly upgrading our internal capabilities such as investing in automation defenses, and also by working with third parties,” a TikTok spokesperson said in a statement.