Check Point researchers discovered a security vulnerability in TikTok. Attackers can use this vulnerability to steal the user’s profile and bound mobile phone number for use in the next attack.
On January 26th, Check Point researchers published an article claiming that they discovered a security vulnerability in the friend finder feature of the TikTok mobile client. An attacker can use this vulnerability to associate personal profile information with a mobile phone number. The attacker can successfully use this vulnerability to build a database of users and related mobile phone numbers. The vulnerability affects users who are bound to or log in with their mobile phone number.
Syncing Contacts contact synchronization features
The TikTok mobile client allows contact synchronization, which means that users can synchronize contacts to find friends who have registered with TikTok more easily. The synchronization process consists of 2 requests:
· Upload contacts;
· Synchronize contacts.
For each contact in the user’s address book, TikTok will construct a JSON containing the following 3 attributes:
· Invited – “False”.
· Name-the value hashed using the SHA 256 algorithm;
· Phone number-the value hashed using the SHA 256 algorithm.
Add JSON to the list and continue to upload the address book:
TikTok uses HTTP requests to https://api16-normal-c-alisg.tiktokv.com/aweme/v1/upload/hashcontacts to upload contacts. The contacts will be sent as a JSON list in the contact parameter.
For example, a single contact is as follows:
· Name: Testing Tester
· Phone number: +972555555555
TikTok will send the following JSON list as the value of the contact parameter:
The complete HTTP request to upload a contact to the TikTok server is as follows:
After the contact upload request is completed, the TikTok mobile client will send a sync request to extract all the personal profiles associated with the sent mobile phone number.
The HTTP request sent to https://api16-normal-c-alisg.tiktokv.com/aweme/v1/social/friend is as follows:
The application server response contains a list of personal profiles, hashed mobile phone numbers, personal names, unique id, personal profile photos, personal profile characteristics, etc.
Upload and sync contact requests are limited to 500 per day, per user, and per device.
Will a single user query the TikTok database cause privacy issues?
Step 1-Create a device list (register physical devices)
After each launch, the TikTok mobile client will perform a device registration process to ensure that the user does not switch between devices. The process of device registration is completed by the request of https://log-va.tiktokv.com/service/2/device_register :
According to the data sent in the HTTP request, the application server will generate a unique device_id token. The token is mandatory and will be sent to the application server together with each API request generated by the application.
Step 2-Create a non-expiring session token list
Login via SMS can only be done via a physical device, which is achieved through an HTTP request sent to https://api16-normal-c-alisg.tiktokv.com/passport/mobile/sms_login_only . The body part of the request contains parameters encoding the phone number and one-time verification code.
The server will verify the data and generate a unique X-Tt-Token token. In addition, the server also sets a cookie for the session.
Researchers found that the expiration time of the session cookie and X-Tt-Token value is 60 days, which means that the cookies used within 8 weeks are the same.
TikTok HTTP message signature
Researchers grabbed TikTok’s HTTP request and found that the TikTok mobile client uses a message signature mechanism to grammatically modify the body of the message and request.
The message signature mechanism requires the X-Gorgon and X-Khronos headers verified by the server, otherwise the data cannot be requested.
Step 3 – Bypass the TikTok HTTP message signature
After you have the device_id and X-Tt-Token token, and the cookie that will not expire in 2 months, you can use the virtual device to replace the real physical device.
The researcher used the Genymotion emulator running Android 6.0.1 and installed the TikTok mobile client.
Researchers conducted dynamic analysis and found that the TikTok mobile client performs a message signing service in the background. The signature service is part of the com.bytedance.frameworks.baselib.network.http package.
The signing process first starts one by one:
An attacker can use a dynamic analysis framework such as Frida to hook the function, modify the parameter data of the function, and then re-sign the request. Therefore, an attacker can use the service to sign the modified request, create updated X-Gorgon and X-Khronos header values, and send the modified request to the TikTok application server.
With the above capabilities, you can modify the HTTP request and re-sign the request. The researcher wrote a Frida script to automate the process of message re-signing, as follows:
Start the HTTP server and listen on port 4000:
Analyze the HTTP POST request and extract the request signature data:
Use the aforementioned method to re-sign the modified request:
Return the updated X-Gorgon and X-Khronos signatures:
As a result of the attack, a database containing account numbers and mobile phone numbers can be obtained, causing data and privacy leaks.