Recently, computer security researchers at Check Point Research, a security solution specialist, discovered a security flaw in one of the main features of China's original social network TikTok.
Taking into account the fact that the application did not already have a good reputation in 2020 due to multiple security flaws discovered during the year, the computer security company Checkpoint warned the parent company of the application of the aforementioned vulnerability. The security flaw primarily affects the privacy management tool. Not only, in terms of functionality that allows you to make new friends, "Find friends", the security flaw is beautiful and well present there which allows hackers to power in the application.
Because of this vulnerability, cyber criminals can access personal files that users of the video-sharing app.
This article will also interest you: TikTok vs. the U.S. administration: a reprieve for the Chinese company
The vulnerability allows hackers to bypass using the above feature, the privacy protection that protects users' private data. The good news in the story is that the flaw has already been fixed. A security patch has been made available for all users. However not to make the updates exposes these greatly. Anyone who has yet to practice made update is urged to do so. Right now hackers are on the lookout. The slightest deviation in conduct is likely to create more serious consequences.
Moreover, the information that hackers could have gathered through this vulnerability is among many others:
– profile pictures;
– photos of the avatar;
– unique identifiers;
– the status of the account;
– the phone number.
In other words, in totally private information.
In practice this is not the first time that cybersecurity company Check Point Research has discovered security vulnerabilities on the social network and made them known to owners. Already during the month of January 2020, the company said weaving computer security solutions was making it known to Bytedance, TikTok's parent company, several security flaws, which if exploited could have allowed with hacker to easily access users' account content, to perform certain tasks instead of the latter. This is not even known to the account holder.
"Our main motivation this time was to explore TikTok's privacy. We were curious about whether the TikTok platform could be used to obtain private user data. It was revealed that the answer was yes, because we were able to bypass TikTok's multiple protection mechanisms, leading to a security breach impacting confidentiality," explains Oded Vanunu, head of product vulnerability research at Check Point,
For its part, the social network's managers did not fail to raise having "appreciated the work of trusted partners like Check Point to identify potential problems encountered, solved before they can affect users".
To exploit the vulnerability that has already been corrected, Checkpoints researchers have proceeded in four steps:
At first the researchers created a list of tools to query the social network's servers. "Then they created a list of session tokens used to query TikTok's servers. You should know here that each session token is then valid for 60 days. Then, the researchers bypassed the application's HTTP signature mechanism using its own signature service, then run in the background. Finally, the final step was to modify httpse requests and signatures, then use multiple session tokens and device identifiers, to bypass TikTok's protection mechanisms. Oded Vanunu. Of course, the danger is ruled out if users respond properly to the application of the update provided to them.
Now access an unlimited number of passwords: