A TikTok vulnerability gave access to users' private data, including phone number

As confirmed by security analysts, the TikTok video platform suffered a serious vulnerability that gave access to a good amount of private user data. Unique IDs, user names, avatars and even the phone number, the information was accessible after a very specific access process. The error is now fixed.

TikTok is one of the social networks that has experienced the highest growth in recent times: it is expected that by the end of 2021 the platform will reach 1,200 million unique users. This significant volume of use has another drawback: the attention of those who seek access to private data. We recently learned that TikTok offered a gateway to some of that data.

A failure in the search for friends opened the door to user data

Find Friends Tiktok Find TikTok friends, option where the vulnerability was found

The vulnerability detected in the platform was corrected, so there would no longer be a risk that attackers could use it. There is no evidence that it was used massively to obtain user data, at least that is what Check Point, the firm that made the discovery, assures.

TikTok tricks: 31 tricks (and some extras) to get the most out of the social network

Check Point used the user registration service to take advantage of the cookies used by TikTok in authentication through HTTP message. Check Point was able to automate the process, managing to scale the upload and synchronization of contacts; until obtaining user data that is associated with said contacts, such as name, ID, avatar and phone number. Of course, the phone number is only associated with the account if the user decides to share this data with TikTok (it is essential to search for other contacts on the social network).

TikTok has already fixed the vulnerability. However, it is best not to share data as private as the phone number with the platform.

Via | Cnet
More information | Check Point