Last week a now patched security bug was found in the popular social media platform Tik Tok. This bug could have enabled hackers to build a database of users and their associated phone numbers.
This flaw only affected users who linked their mobile phone number with their Tik Tok account or if they logged in using a phone number. If this vulnerability were compromised an attacker could have harvested data that was breached and could then easily exploit the data collected in the future.
The bug was found in TikTok’s “Find friends” feature that allows users to synchronise their contacts found in their phone with the service to identify potential people to follow.
The contacts are uploaded to TikTok via an HTTP request in the form of a list that consists of hashed contact names and the corresponding phone numbers.
The app then sends out a second HTTP request that retrieves the TikTok profiles connected to the mobile phone numbers sent in the previous request. This response includes profile names, phone numbers, photos, and other profile related information.
While this feature is limited to 500 contacts per day, per user, and per device, researchers found a way to get around the limitation by getting hold of the device identifier, session cookies set by the server and a token that is set when logging into the account with SMS and simulate the entire process from an emulator running Android 6.0.1.
By modifying the HTTP requests and re-signing them with an updated message signature, the vulnerability made it possible to automate the procedure of uploading and syncing contacts on a large scale and create a database of linked accounts and their connected mobile phone numbers.
Although this has now been fixed our advice would be to ensure you have the least amount of personal information linked to your social media accounts. If it is not necessary to add a number or home address etc. then best not to do it so it cannot be exploited.