Research by Eran Vaknin, Alon Boxiner
In January 2020, we have published a research on TikTok, reporting we have found that a threat actor could reveal personal information saved on the account and take actions on behalf of a victim, manipulating the victim’s account content. That issue was responsibly resolved by TikTok prior to the research disclosure. In April 2020, TikTok launched a private bug bounty program which grew into a global public partnership with HackerOne in October 2020 and encourages security researchers to find and responsibly disclose security bugs so that the TikTok teams can resolve them before attackers exploit them.
The publication was in the midst of series of reports in which TikTok stood in a spotlight, and not the kind of spotlight its dancing users seek.
Trump administration officials warned that the US is considering banning the App,
Even to the point of an Executive order Addressing “the threat Posed by TikTok”. The debate regarding privacy matters concerning the App has grown, eventually becoming the main motivation behind our current research.
As a reference for our modus operandi, we’ve followed closely a 2019 report about Instagram, confirming security issue exposing user accounts and phone numbers.
In the recent months, Check Point Research teams discovered a vulnerability within the TikTok mobile application’s friend finder feature. In the vulnerability described in this research an attacker can connect between profile details and phone numbers, while a successful exploitation can enable an attacker to build a database of users and their related phone numbers. If exploited, this vulnerability would have only impacted those users who have chosen to associate a phone number with their account (which is not required) or logged in with a phone number.
Check Point Research informed TikTok developers and security teams about this issue and a solution was responsibly deployed to ensure its users can safely continue using the TikTok app.
As our main purpose was to examine the privacy of TikTok, we focused on all actions related to users’ data.
The mobile application was found to enable contacts syncing, meaning that a user can sync his contacts to easily find people he knows on TikTok. In simple words, it means that it is possible to connect between profile details and phone numbers.
The syncing process is composed of 2 requests:
For each contact in the list of the user’s contacts, the application is building a JSON with 3 attributes:
Appending the JSONs to a single list and continue with the process of uploading the contacts:
The application is uploading the contacts using an HTTP request to https://api16-normal-c-alisg.tiktokv.com/aweme/v1/upload/hashcontacts. The contacts are sent as a list of JSONs in the contact parameter.
For example, for a single contact with the following details:
The application will send the following list of JSONs as the value of the contact parameter:
The full HTTP request sent to upload contacts to TikTok:
Once the upload contacts request has been completed, the application is sending a sync request to retrieve all the existing profiles connected to the phone numbers sent before.
The HTTP request is sent to https://api16-normal-c-alisg.tiktokv.com/aweme/v1/social/friend
The application server response contains the list of profiles, hashed phone numbers, profile names, unique ids, profile photos, profile properties (such as hide_search), and more.
The upload and sync contact requests are limited to 500 contacts per day, per user, and per device.
Can a single user query TikTok’s database, causing a privacy violation?
With each launch, the TikTok mobile application is performing a process of device registration to make sure that users are not switching between devices. The process of registration is performed using an HTTP request to https://log-va.tiktokv.com/service/2/device_register.
According to the data sent in the HTTP request, the application server generates a unique device_id token.
This token is mandatory and sent with each API request the application makes to the application server.
The login with the SMS process was enabled only from a physical device, and it is performed using an HTTP request sent to https://api16-normal-c-alisg.tiktokv.com/passport/mobile/sms_login_only. The body of the request contains the mobile (Cell-phone number) and code (OTP) encoded parameters
The server validates the data and generates a unique X-Tt-Token token. Additionally, the server sets the session cookies.
During our research it was found that the session cookies and the X-Tt-Token values expire after 60 days, meaning that we could use the same cookies for long weeks.
Capturing TikTok’s HTTP requests, revealed that TikTok mobile application is using a message signing mechanism, preventing threat actors (and researchers) from tampering messages and modifying the body of the request.
The message signing mechanism requires X-Gorgon and X-Khronos headers for server verification, otherwise, data can not be requested.
Holding the device_id (explained in Registering a Physical Device section) and the X-Tt-Token token, and the never expired cookies (explained in Session Tokens Never Expired section), we could now use a virtual device instead of a physical one.
We have used a Genymotion emulator running Android 6.0.1. The TikTok application was installed and executed on the device.
Now, we started performing some static and dynamic analysis in order to understand if there is any path to bypass the message signing mechanism, so we can modify the body of the requests and start building an automated process to connect between profile details and phone numbers, in mass figures.
During the dynamic analysis, we have found that TikTok is executing a service in the background. This service was found to be the message signer.
The signing process is written as part of com.bytedance.frameworks.baselib.network.http package, Class e.
The signing process was found to start with a method (obfuscated function name):
A threat actor can use a dynamic analysis framework, such as Frida, hook the function, change the data the function arguments (the contacts the threat actor wishes to sync), and re-sign the request.
Therefore, a threat actor can use this service to sign his modified requests, create an updated X-Gorgon and X-Khronos header values (message signatures) and send the modified request to the TikTok application server.
With the abilities described above, we could modify HTTP requests and re-sign them. This ability granted us the option to automate the process of uploading and syncing contacts on a large scale and build the database of users and their connected phone numbers.
In order to create an automated process of message resigning, we have written a short Frida script that performs the following actions:
Launching HTTP server, listening on port 4000:
Parse incoming HTTP POST request and extract data for request signing:
Re-sign the modified request using the a method (described above):
Return the updated X-Gorgon and X- Khronos signatures:
Using the Frida script described above, a threat actor can create an automation to connect between phone numbers and profile details. The outcome of this attack is a massive database containing linked accounts and phone numbers, causing data leakage and privacy violation.
The popular video sharing App has been reporting to be adding 100M users monthly, to pass the 2 Billion downloads globally. The video app has grown in popularity, having nearly tripled in size since 2018.
In 2021, mobile data and analytics firm App Annie expects TikTok to not only join the 1 billion monthly active user (MAU) club alongside Facebook, Instagram, Messenger, WhatsApp, YouTube and WeChat — it predicts TikTok will actually sail past the 1 billion MAU milestone to reach 1.2 billion average monthly active users.
These incredible figures, along with repeating reports on security and privacy matters concerning the App and it’s usage, led us to conduct this privacy related research.
We are delighted to join forces with the TikTok team in fixing these issues, and providing it’s users a fun, safe and responsible experience.