tiktok

TikTok vulnerability triggers data and privacy leaks

Check Point researchers discovered a security vulnerability in TikTok. Attackers can use this vulnerability to steal the user’s profile and bound mobile phone number for use in the next attack.

On January 26th, Check Point researchers published an article claiming that they discovered a security vulnerability in the friend finder feature of the mobile client. An attacker can use this vulnerability to associate personal profile information with a mobile phone number. The attacker can successfully use this vulnerability to build a database of users and related mobile phone numbers. The vulnerability affects users who are bound to or log in with their mobile phone number.

Syncing Contacts contact synchronization features

The mobile client allows contact synchronization, which means that users can synchronize contacts to find friends who have registered with TikTok more easily. The synchronization process consists of 2 requests:

· Upload contacts;

· Synchronize contacts.

clip_image001

clip_image002

For each contact in the user’s address book, will construct a JSON containing the following 3 attributes:

· Invited – “False”.

· Name-the value hashed using the SHA 256 algorithm;

· Phone number-the value hashed using the SHA 256 algorithm.

clip_image003

Add JSON to the list and continue to upload the address book:

clip_image004

uses HTTP requests to https://api16-normal-c-alisg.tiktokv.com/aweme/v1/upload/hashcontacts to upload contacts. The contacts will be sent as a JSON list in the contact parameter.

For example, a single contact is as follows:

· Name: Testing Tester

· Phone number: +972555555555

will send the following JSON list as the value of the contact parameter:

clip_image005

The complete HTTP request to upload a contact to the TikTok server is as follows:

clip_image006

Sync contacts

After the contact upload request is completed, the TikTok mobile client will send a sync request to extract all the personal profiles associated with the sent mobile phone number.

The HTTP request sent to https://api16-normal-c-alisg.tiktokv.com/aweme/v1/social/friend is as follows:

clip_image007

The application server response contains a list of personal profiles, hashed mobile phone numbers, personal names, unique id, personal profile photos, personal profile characteristics, etc.

clip_image008

clip_image009

limit

Upload and sync contact requests are limited to 500 per day, per user, and per device.

research problem

Will a single user query the TikTok database cause privacy issues?

Step 1-Create a device list (register physical devices)

After each launch, the TikTok mobile client will perform a device registration process to ensure that the user does not switch between devices. The process of device registration is completed by the request of https://log-va.tiktokv.com/service/2/device_register :

clip_image010

According to the data sent in the HTTP request, the application server will generate a unique device_id token. The token is mandatory and will be sent to the application server together with each API request generated by the application.

clip_image011

Step 2-Create a non-expiring session token list

Login via SMS can only be done via a physical device, which is achieved through an HTTP request sent to https://api16-normal-c-alisg.tiktokv.com/passport/mobile/sms_login_only . The body part of the request contains parameters encoding the phone number and one-time verification code.

clip_image012

The server will verify the data and generate a unique X-Tt-Token token. In addition, the server also sets a cookie for the session.

Researchers found that the expiration time of the session cookie and X-Tt-Token value is 60 days, which means that the cookies used within 8 weeks are the same.

clip_image013

TikTok HTTP message signature

Researchers grabbed TikTok’s HTTP request and found that the TikTok mobile client uses a message signature mechanism to grammatically modify the body of the message and request.

The message signature mechanism requires the X-Gorgon and X-Khronos headers verified by the server, otherwise the data cannot be requested.

clip_image014

Step 3 – Bypass the TikTok HTTP message signature

After you have the device_id and X-Tt-Token token, and the cookie that will not expire in 2 months, you can use the virtual device to replace the real physical device.

The researcher used the Genymotion emulator running Android 6.0.1 and installed the TikTok mobile client.

Researchers conducted dynamic analysis and found that the TikTok mobile client performs a message signing service in the background. The signature service is part of the com.bytedance.frameworks.baselib.network.http package.

clip_image015

The signing process first starts one by one:

clip_image016

An attacker can use a dynamic analysis framework such as Frida to hook the function, modify the parameter data of the function, and then re-sign the request. Therefore, an attacker can use the service to sign the modified request, create updated X-Gorgon and X-Khronos header values, and send the modified request to the TikTok application server.

PoC

With the above capabilities, you can modify the HTTP request and re-sign the request. The researcher wrote a Frida script to automate the process of message re-signing, as follows:

Start the HTTP server and listen on port 4000:

clip_image017

Analyze the HTTP POST request and extract the request signature data:

clip_image018

Use the aforementioned method to re-sign the modified request:

clip_image019

Return the updated X-Gorgon and X-Khronos signatures:

clip_image020

As a result of the attack, a database containing account numbers and mobile phone numbers can be obtained, causing data and privacy leaks.