Security News > 2021 > January > TikTok Bug Could Have Exposed Users' Profile Data and Phone Numbers
Cybersecurity researchers on Tuesday disclosed a now-patched security flaw in TikTok that could have potentially enabled an attacker to build a database of the app's users and their associated phone numbers for future malicious activity.
Although this flaw only impacts those users who have linked a phone number with their account or logged in with a phone number, a successful exploitation of the vulnerability could have resulted in data leakage and privacy violation, Check Point Research said in an analysis shared with The Hacker News.
The contacts are uploaded to TikTok via an HTTP request in the form of a list that consists of hashed contact names and the corresponding phone numbers.
The app, in the next step, sends out a second HTTP request that retrieves the TikTok profiles connected to the phone numbers sent in the previous request.
Eventually, TikTok launched a bug bounty partnership with HackerOne last October to help users or security professionals flag technical concerns with the platform.
"We were curious if the TikTok platform could be used to gain private user data. It turns out that the answer was yes, as we were able to bypass multiple protection mechanisms of TikTok that lead to privacy violation."