How much is fifteen minutes of fame worth? TikTok remains wildly popular, with revenue doubling to roughly $35M in 2020. The company is reportedly exploring initial public offerings for some of its Hong Kong ventures.
In addition to taking overarching strides towards growth, the company has also narrowed its focus, creating a bug bounty program to explore its security weaknesses. As research shows, the bug bounty program has yielded dividends.
Vulnerability found in “friend finder”
Check Point Research discovered a vulnerability that would have permitted hackers to leverage the app’s “friend finder” feature to access user data, including phone numbers, avatar photos and unique user IDs.
This information could have been compiled in a larger repository. These types of data repositories can be sold or used to direct spear phishing campaigns or other criminal activities.
“Our primary motivation…was to explore the privacy of TikTok,” stated Check Point spokesperson, Ekram Ahmed. “We were curious if the TikTok platform could be used to gain private user data. It turns out that the answer was yes…”
No evidence indicates exploitation of the found vulnerability. The team at TikTok has since released a software patch.
Says TikTok “Check Point Research informed TikTok developers and security teams about the issue and a solution was responsibly deployed to ensure its users can safely continue using the TikTok app.”
The ins and outs of the vulnerability
The researchers from Check Point observed a flaw in the way that TikTok’s servers verified friend finder requests from phones. The app created a unique device ID for each user’s phone, then produced a user token and session cookie. Cookies were valid for as long as 60 days, potentially enabling hackers to siphon off information into other virtual devices, aside from phones.
“Using some hacking tools, they could bypass TikTok’s HTTP message signing, change the function to acquire contacts and re-sign the requests,” writes Yahoo Finance. Due to the fact that all of this could happen in a virtual device, threat actors could have automated the process.
Has the imminent ban on TikTok dissolved?
In the United States, the threat of a general ban on TikTok ended when the Trump administration departed from Washington. Nonetheless, TikTok and its Chinese parent company, ByteDance, are still drawing concern. For example, in 2019, the US army and the US Navy banned the app on government-owned phones, and the ban continues through the present day.
In India, a ban on TikTok is still in effect. Previously, TikTok retained an estimated 120 million platform participants in India. In a recent announcement, the company has shared that it will need to scale back its workforce within the country as a result of the ban.
TikTok notes that it is committed to increasing its security. “We continue to strengthen our defenses, both by constantly upgrading our internal capabilities, such as investing in automation defenses, and also by working with third parties,” stated a company spokesperson.
What else should TikTok fans and followers know?
A range of other software flaws were identified by security researchers across the past several weeks. These include text messages that contained malware and that could manipulate stored videos on the platform.
For more on researchers’ TikTok findings, visit CNET.com.