Security researchers from Check Point uncovered a critical vulnerability in TikTok’s Find Friends feature, which could have allowed threat actors to pilfer users’ phone numbers and sensitive profile information linked to their accounts. The social media app has now fixed the flaw after Check Point reported the issue.
The Find Friends Flaw
Check Point researchers said TikTok’s contacts syncing feature Find Friends allows the users to synchronize their phone contacts to find other TikTok users. If exploited, threat actors could potentially misuse the users’ information or build a database of users’ private details to perform malicious activities in the future. Even though the vulnerability only affects the users who have linked their phone number to their TikTok account, the vulnerability can be exploited to illicitly obtain users’ sensitive information.
“As our main purpose was to examine the privacy of TikTok, we focused on all actions in the app which relate to users’ data. We found the app enabled contacts syncing, meaning that a user can sync their phone contacts to easily find people they may know on TikTok. In simple terms, this makes it possible to connect users’ profile details to their phone numbers. If exploited, this vulnerability would have only impacted those users who have chosen to associate a phone number with their account (which is not required) or logged in with a phone number,” Check Point said.
“With those phone numbers and profile details, attackers could potentially access further information related to users, obtained outside of TikTok such as searching for other accounts or data available,” Check Point added.
Multiple Vulnerabilities in TikTok
Earlier, Check Point researchers found multiple vulnerabilities in the TikTok application that could have allowed hackers to break into user accounts and manipulate their content, such as deleting videos, uploading unauthorized videos, making private hidden videos public, and revealing personal information saved on the account. However, TikTok deployed a security solution to ensure the safety of its users.