Tiktok vulnerability trigger data and privacy leakage

Check Point researchers found a security vulnerability in Tiktok, and attackers used this vulnerability to steal user personal profile and bound mobile phone number for the next attack activity.

On January 26, the Check Point researchers released an article discovered a security vulnerability in the Tiktok mobile client FriendFinder. An attacker uses the vulnerability to associate personal profile information with the mobile phone number, and the attacker successfully utilizes the vulnerability to create a database with the related mobile phone number. The vulnerability affects the mobile phone number or the user who is logged in with the mobile phone number.

Syncing Contacts Contact Synchronization Characteristics

Tiktok mobile client allows contact synchronization, that is There are 2 requests for synchronization process:

Upload contacts; synchronous contacts.

For each contact in the user’s address book, Tiktok builds a JSON containing the following three attributes:

Invited – “false” .name – Use the SHA 256 algorithm Hash; Phone Number – Use the SHA 256 algorithm’s value.

Add JSON to the list, continue to upload contact:


Tiktok Using https://api16-normal-c-alisg.tiktokv.com/aweme/v1/upload/hashcontacts HTTP request to upload contacts. The contact will be sent in the JSON list in the Contact parameter.

For example, a single contact is as follows:

Name: Testing Testerphone Number: +97255555555

Tiktok will send the following JSON list as the value of the Contact parameter:


The complete HTTP request for upload contacts to the Tiktok server is as follows:


Synchronous contact

After the Upload contact request is completed, the Tiktok mobile client will send a SYNC synchronization request to extract all the personal profiles associated with the mobile phone number sent.

HTTP request sent to https://api16-normal-c-alisg.tiktokv.com/aweme/v1/social/friend as follows:


Application server responds to a list of personal profiles, hash mobile phone numbers, personal name, unique ID, personal profile photos, personal profile features.


Upload and synchronous contacts Request a day, each user, each device is limited to 500.

research problem

Does a single user query the Tiktok database cause privacy issues?

(1) STEP 1 – Create a list of devices (registered physical equipment)

After each startup, the Tiktok mobile client performs the device registration process to ensure that the user does not switch between the devices. The process of the device registration is done with the request of https://log-va.tiktokv.com/service/2/device_register:


According to the data sent in the HTTP request, the application server generates a unique device_idtoken. This token is forcibly, and will be applied to the application server together with each API request generated.


(2) STEP 2 – Creating a list of session token in an expiration

Only by the SMS can only be performed by physical devices, it is achieved by sending HTTPS: / /API16- Normal-c-alisg.tiktokv.com/pal-c-alisg.tiktokv.com/passport/mobile/sms_login_only. The requested Body section contains a parameter with a mobile phone number and a one-time verification code encoding.

The server verifies the data and generates unique X-TT-token token. In addition, the server will also set up a session cookie.

Researchers analyze that the expiration time of sessions cookie and X-TT-token values ??is 60 days, that is, the cookies used in 8 weeks are the same.


Tiktok HTTP message signature

The researchers grabbed the Tiktok’s HTTP request found that the Tiktok mobile client uses the message signature mechanism to syntax attacker to modify the message and the Body section. The message signature mechanism requires the X-Gorgon and X-KHRON HEADER verified by the server, otherwise the data cannot be requested.


(3) STEP 3 – bypass the Tiktok HTTP message signature

After you have Device_ID and X-TT-TOKEN TOKEN, and after 2 months, you can use a virtual device to replace the real physical device.

The researchers used the Genymotion simulator running Android 6.0.1 and installed the Tiktok mobile client.

Researchers conduct dynamic analysis to find that Tiktok mobile client performs a message-signed service in the background. The signature service is part of the com.bytedance.frameworks.baselib.network.http package.


The signature process is first in one way:


Attackers can use the dynamic analysis framework such as Frida to Hook functions, modify the parameter data of the function, and then re-sign the request. Therefore, an attacker can use the service to sign the modified request, create an updated X-Gorgon and X-khronos header values, and send the modified request to the Tiktok application server.


With the above capabilities, you can modify the HTTP request and sign the request again. The researchers wrote a Frida script to automatically carry out the process of re-signature, as follows:

Start the HTTP server, listen to 4000 ports:


Analyze the HTTP POST request and extract the data requested to sign:


Use the aforementioned method to repart the modified request:


Returns the updated X-Gorgon and X-KHRONOS signature:


The final result of the attack can get a database that contains accounts and mobile phone numbers, triggering data and privacy leaks.

This article translated from: