Quote:A vulnerability in the popular TikTok short-form video-sharing platform could have allowed attackers to easily compile users’ phone numbers, unique user IDs and other data ripe for phishing attacks.
TikTok, owned by ByteDance, has more than 800 million active users worldwide. The vulnerability, which was reported and patched before its disclosure on Tuesday, existed in the “Find Friends” feature of the TikTok mobile app. This feature allows users to find their friends, either via their contacts, via Facebook or by inviting friends.
In order to help users find friends through their contacts, TikTok contained a sync feature for contacts who had TikTok accounts. That means that it is possible to connect profile details with phone numbers. Researchers said an attacker could leverage this feature in order to query TikTok’s entire database – potentially opening up for privacy violations.
“The vulnerability could have allowed an attacker to build a database of user details and their respective phone numbers,” said Oded Vanunu, head of products vulnerabilities research at Check Point. “An attacker with that degree of sensitive information could perform a range of malicious activities, such as spear phishing or other criminal actions.”
Read more: https://threatpost.com/tiktok-flaw-phish...ks/163322/
![[-]](https://www.geeks.fyi/images/collapse.png)
