"TikTok Flaw Lay Bare Phone Numbers, User IDs For Phishing Attacks"

Researchers at Checkpoint Research discovered a vulnerability in the popular TikTok short-form video-sharing platform, which could have allowed adversaries to easily compile users’ phone numbers, unique user IDs, and other data that could be used for phishing attacks.  The vulnerability was in the “Find Friends” feature of the TikTok mobile app. This feature allows users to find their friends, either via their contacts, via Facebook, or by inviting friends.  To launch an attack, a bad actor would need to first bypass TikTok’s HTTP message signing mechanism, which aims to protect threat actors from tampering with HTTP messages or modifying the HTTP request body.  The researchers were able to achieve this using TikTok’s own signing service, executed in the background. Using a dynamic analysis framework like Frida, an adversary could hook the function, change the data of the function’s arguments (in this case, the contacts the attacker wants to sync), and re-sign the modified request send to the TikTok application server.  From there, the adversary could automate the process of uploading and syncing contacts at a large scale. This would have allowed the adversary to build a database of users and their connected phone numbers. The researchers reported the vulnerability, and a patch has been released that has fixed the issue.  

Threatpost reports: "TikTok Flaw Lay Bare Phone Numbers, User IDs For Phishing Attacks"