Check Point researchers discover security vulnerability on TikTok - again

According to the team's findings, an attacker could use this vulnerability to connect between personal information on users' profiles and their corresponding phone numbers

General view of the US head office of TikTok in Culver City, California, US, September 15, 2020. (photo credit: REUTERS/MIKE BLAKE)
General view of the US head office of TikTok in Culver City, California, US, September 15, 2020.
(photo credit: REUTERS/MIKE BLAKE)
After discovering a security vulnerability that could potentially allow hackers to collect sensitive information on TikTok users, the Israeli cybersecurity firm Check Point teamed up with the popular social-networking app to fix the issue. 
In a press release, the firm mentioned that one of its research teams had recently found a vulnerability within the TikTok mobile application’s friend finder feature. According to the team's findings, an attacker could use this vulnerability to connect between personal information on users' profiles and their corresponding phone numbers, allowing them to build a detailed database that could potentially be used to target unsuspecting users and share their personal information.
The vulnerability however, only affected users who associated their phone numbers with their TikTok accounts or had used their phone number to register to the application, which is not necessarily required. 
It should be noted in this regard the growing popularity of TikTok especially among children and teenagers, many of whom may not be aware, or may not care for the risks posed by sharing personal information online.  
Check Point's team made the discovery after examining several features on the application connected to privacy issues.  
"As our main purpose was to examine the privacy of TikTok, we focused on all actions related to users' data," the firm noted in a press release. "The mobile application was found to enable contacts syncing, meaning that a user can sync his contacts to easily find people he knows on TikTok."
In other words, a skillful hacker would have the possibility of connecting between phone numbers and specific profile details, including names, private pictures, user IDs and even user settings. Coupled with bad intensions, that kind of information could lead to user extortion and possibly to identity theft. 
Oded Vanunu, who led the Check Point research team that located the vulnerability, added that such databases of personal information can be used for phishing scams or even for targeted attacks on specific devices connected to the leaked information. 
Check Point researchers were able to bypass the application's security measures using an independent mechanism that they had developed and managed to gain personal information of several notable Israeli TikTok users, including a famous singer, a well-known architect and an internet celebrity (also known as an influencer).  
After verifying that what they had found was indeed a serious security breach, Check Point contacted TikTok and worked alongside the application's security teams to fix the vulnerability.
TikTok later released a statement, stressing the importance of protecting its users' privacy. 
"The privacy and protection of our community's information is a top priority for TikTok and we appreciate collaborations with certified partners such as Check Point that help us identify potential issues and to fix them before they affect our users," The statement by TikTok read.
The company added that it intends to reinforce its privacy protection measures by upgrading its systems and by investing in automatic protections mechanisms, alongside continued cooperation with other companies. 
"We appreciate the fact that TikTok acted quickly in order to fix the issue," Vanunu said, but noted that sharing personal information online and on social media platforms specifically, is always a risk that users need to take into account. "We always recommend people to share as little personal information as possible and to always make sure that the applications they're using are updated with the latest version available," he added. 
This is not the first time that Check Point manages to locate security issues on TikTok. In January last year, researchers at Check Point found flaws in the application, enabling hackers to manipulate user accounts and extract information including dates of birth and private email addresses.
TikTok has faced a lot of suspicion regarding the privacy of its users. Considered a Chinese-owned app, it drew scrutiny from the Trump administration last year for allegedly posing threats to national security by spying on users and providing information to the Chinese government. Nevertheless, it remains one of the world's most popular application with an increasingly growing user-base.