ITKarma picture

Introduction


TikTok is one of the most popular applications for viewing mobile video. It has 800 million registered users. Users create content using filters, music, effects. The videos are created by strange but exciting attention.

For such an extensive and popular entertainment platform, there is a very large layer of minuses that are gradually becoming apparent to the media. Unprotected HTTP traffic and SMS link spoofing are specific examples of vulnerabilities that have been discovered in the application over the past 3 months. Despite this, people continue to post videos. They show which schools they go to, videos inside and outside their homes and even give out phone numbers and other personal information. It is with this topic that it is worth starting our article.

OSINT Technology


Most TikTok users are young teens who do not understand the danger of spreading personal information. TikTok is subject to various trends, which in turn involve in the disclosure of personal information, including: passports, phone numbers, email, links to their social networks, credit card information and many other data.

Search String


One of the most interesting features of TikTok is the search for videos of various content, which is located in the “Discover” button. After clicking on it, the screen changes to a feed from the most popular content, but the main part of this tab is the search bar at the top of the screen. You can drive everything in it, from user names, song names, hashtags and ending with key phrases of challenges. As an example, let's take the key phrase: “find my number” (Examples of other queries are “Call me”/“Phone Me”/“Guess my number”/“Call me”/“Credit Card”/“Debit Card”)

ITKarma picture

The results themselves make themselves felt on the main page. As a better example of information search, select “Hashtags” from all tabs and click on the very first field. On various videos, users show their numbers in parts. They can all completely, but without the last digit. Easily find hidden numbers on the screen or predict the last digit by brute force.

In the example below, you can see how one of the users intentionally hides the number in various parts of the video. In other videos, some use only a split second to show their real number. You can’t make it out through a mobile device, but if you open it in a browser, you can consider in more detail.
ITKarma picture

Here are some more examples where users post emails. These videos were found on request in the search for “gmail.com”, as well as for hashtags: “email me.”

ITKarma picture

Audio Track


Another key clue for finding information through related videos is the audio track inserted in the user's video. In the lower right part of the screen is an image of an audio plate, which is the original video audio track. When you click on the record itself, a window appears with all the videos that used this audio track and follow the same trend. In the example below, users recorded a video with a similar audio track.

ITKarma picture

Another example is a soundtrack called “Your I.D. will always Humble you. "Under it, users record a video with their photo from their identity documents. Of course, many of them do not fully disclose documents. However, most have a personal signature and date of birth under their photo. After watching many videos published with this soundtrack, you can definitely find those who showed a complete reversal of ID cards.

ITKarma picture

Get further information


After this information became available, a logical question followed: what else is possible to detect based on phone numbers and emails?

Further search for data based on the information obtained is through the use of Lampyre. It allows you to search for identifiers and return data that is registered on the entered email or phone number. Such queries usually produce accurate and fairly unique results.

Below was a search on three US phone numbers. The results showed that two of the numbers returned linked accounts from Instagram and Twitter, along with the corresponding ID and links to their profiles. Although a little information has been shown this time, much more can be obtained. It depends only on the goal and on what phone number users use when registering. To search on Instagram, use our application [Nuga] , which we wrote about recently. Another number provided more information and showed that it was connected to a WhatsApp and Skype account. Now add and check for accounts through the contact list.

ITKarma picture

ITKarma picture

Below is an example of an email search through Lampyre. Here he returned partial information such as a phone number from LinkedIn and Apple, a direct link to their Facebook account and confirmation that the email was used on Instagram and TikTok:

ITKarma picture

ITKarma picture

Lampyre can be used 4 times for free for one registration, then you need a paid subscription or purchase of additional tokens. Of course, you can create accounts for temporary mail and use the tool to your pleasure, search and analyze all the information provided in the results of Lampyre.

OSINT TOOL


Collecting basic user information is also another way to obtain passive data from TikTok. Of course, this can be done manually by recording all the key profile metadata. However, there is a more autonomous and easy-to-use tool designed to collect such information - TikTok OSINT Toolkit.

It allows you to autonomously collect all public TikTok user data, such as:

  • Profile Name
  • Profile picture
  • Number of subscribers
  • Number of Subscriptions
  • Profile Information
  • Profile Verification
  • Number of fans
  • Number of likes
  • Number of videos
  • Profile ID

The tool is written in Python 3 and uses the extensive BeautifulSoup package, greatly simplifying the collection of all the information that can be obtained from the user's URL. The tool is executed through the command:

python3 tiktokOSINT.py --username {USERNAME} --downloadProfilePic 


The main parameter is the username through which the HTTP request is made to the HTML profile page. Subsequently, all the information on the page is collected, a search is performed according to the criterion "application/json".And selectively, the data that the user has is filled into an array and stored in one folder along with the tool. In addition, the program duplicates text information about the user on the command line.

As an example, below is a Unix command shell through which you can get the results of the user "juliagodunova":

ITKarma picture

As a small bonus, a similar tool is also available online, but in a slightly limited form. The functionality of the tool also lies in sending an HTTP request with a user profile link. Only in this case the server will respond using the same JSON file and arrange all the necessary information on the page. It contains 3 main functions:

  1. Search for a user’s profile by name
  2. Search for videos with the specified hashtag
  3. User metadata using his name

ITKarma picture

URL Information Search


Hashtags


TikTok has a special tab for searching videos using hashtags, which is also located in the search bar. But there is an alternative way to search. The most common is a link to the official TikTok website. If you know the exact and interesting hashtag, you can go to the next URL, replacing “test” with the category you are interested in.

www.tiktok.com/tag/test

Usernames


TikTok has a username search option that works just like when searching for a hashtag. If you know the username of your target, you can go directly to your profile using the following URL. Replace “test” with the name of the user you selected.

www.tiktok.com/@test

Comments


Like any other social network, TikTok users leave comments on messages of various users. They can be viewed next to each video content, but, unfortunately, they are not in the source code. For an offline process to collect this information, use exportcomments.com. Just copy the URL of the TikTok video into the search field and wait for the process to complete. Below is an excerpt that includes the exact usernames, date, time, likes, and comments on the target record.

ITKarma picture

TikTok video


When searching for a video of interest on TikTok, the original link to the video page does not offer a download function, and right-clicking does not provide any useful options, including the source code of the file. Instead, rely on third-party sites, such as Experts PHP .

ITKarma picture

Experts PHP service transfers the URL address of the selected video to the official TikTok video server and gives a direct link to watch and download video in 720p. Now let's look at an example of how, using the vulnerability of TikTok servers, it is possible to fake a video for any user.

Vulnerabilities that extend OSINT in TikTok


Integrate your own video on the home screen


TikTok uses an insecure HTTP protocol to download all of its media content. Like many applications designed for social networks or with a large and active user base, TikTok uses content delivery (and distribution) networks (CDNs) to tightly distribute its massive data around the world. Choosing CDN, TikTok explains the faster transfer of video and other multimedia data via HTTP.Although this increases the speed and performance of file transfers, the use of insecure traffic compromises personal data and user privacy. Analysis of the HTTP protocol can be easily tracked and modified by the intermediary.

At the time of this writing, TikTok for iOS (version 15.5.6) and Android (version 15.7.4) used regular HTTP to connect to TikTok CDN networks. After a short session of intercepting and analyzing network traffic from TikTok using Wireshark, you can easily notice network requests with video and image packets that are transmitted in a completely open and unencrypted form.

The following is an example of network traffic captured by Wireshark:

ITKarma picture

In this way, TikTok inherits all known and well-documented HTTP vulnerabilities. Any router installed between the TikTok application and its CDN can very easily document all network packets with videos that the user has downloaded and viewed along with the viewing history. Public Wi-Fi hotspots and ISPs can collect this data effortlessly.

Here is a list of all the data that is transported through the HTTP channel in TikTok:

  • Videos - All videos in the app.
  • Photos - all photos, including photos of preview profiles.
  • Video Images - The video preview image displayed when the video is uploaded.

All types of content listed above are subject to tracking. For example, a surveillance history can be created by capturing network traffic downloaded from http://v34.muscdn.com .

MITM attack can completely change the downloaded content in your phone. However, a significant limitation of this attack is the fact that the user must be with the attacker on the same local network. Only in this way will an attacker be able to wedge into the channel (using the ARP Spoofing attack) and transmit a large number of fake facts in the replaced video, which may belong to celebrities or a trusted user account.

Replacing and distributing misleading fake videos on an interactive platform like TikTok poses a huge risk. As an example, the risks of possible attacks by an intermediary to replace the video and analyze the results will be identified below.

Method of application


A small assembly of fake videos hosted on a server that emulates a TikTok server, namely v34.muscdn.com, was prepared. For demonstration purposes, only the script and conditions were created that change the video. The profile photos were saved in the original, although they can also be modified in the same way. Only one video server behavior was emitted for a good combination of fake and real videos in order to create a sense of trust among users.
In order for TikTok to show cooked videos, you need to redirect the application to a fake server. Since the server merely replaces the TikTok server, the application cannot directly confirm that it is interacting with a real source. Thus, it will blindly believe and request absolutely any content downloaded from the connected server.

The whole trick is to redirect the application to the created server. You can do this simply by adding a new resource record in DNS that matches the domain name v34.muscdn.com with the IP address of the fake server.

Similarly, this can be done by individuals who directly have access to user routers. First, you need to modify the hosts file on the victim device, redirecting the domain name v34.muscdn.com to the fake server. Then, the modified routers must be configured to use this DNS server. Now that the TikTok application requests an IP address from v34.muscdn.com, DNS returns the IP address of the fake server. In the future, all subsequent requests to a fake server that pretends to be v34.muscdn.com from TikTok will be set automatically.

Such actions may be performed by the following persons:

  1. Wi-Fi operators: Wi-Fi network operators can configure the router to use a vulnerable DNS server.
  2. VPN providers: The VPN provider can configure its DNS server for all users using its service.
  3. Internet Service Providers (ISPs): Internet service providers that provide Internet access have full access to their customers ’connections. They can reconfigure the DNS server in order to exchange content or monitor user activity

If you do not trust any of the persons listed above, then there is a chance that the content that you are watching in TikTok may already have been changed. This can also apply to any Internet service that uses the HTTP protocol to transfer data.

Below is the HTTP network traffic directed to a fake server. The highlighted line is a request for video sent by the application to the incoming IP address 192.168.13.2, which is the address of the fake server. Then, the same server selects the prepared video and returns it to the application, which in turn plays the selected video to the user, as shown in the demo video. Please note that only video requests are sent to the fake server, as requests for profile photos and users were left unchanged and they are redirected to real servers.

ITKarma picture

youtu.be/voTnYPfkqlY

Created videos contain misleading information about COVID-19. Thus, an example was shown about a real and potential source of the spread of misinformation and false facts of a modern problem.

Users who were only connected to the local router can see this malicious content. However, if the DNS server of a large Internet provider was hacked to add its own DNS record, then, as shown earlier, misleading information or fake news will be viewed globally.

SMS Spoofing


On the official TikTok website there is an interesting feature that allows you to send an SMS message to download the application to the specified mobile number of the user. An account hacking vulnerability, through this functionality, has been discovered. And as an example, it will be demonstrated in this part.

Attackers who want to send an SMS message to a potential victim can intercept an HTTP request using a proxy tool (for example, Burp Suite). The Mobile parameter contains the phone number to which the SMS will be sent, and the download_url parameter is the link that appears in the SMS message:

ITKarma picture

An example of such an SMS message:

ITKarma picture

If you change the download_url parameter, the original link will be changed, and it will contain another one that was selected for further attack. The picture below shows a fabricated SMS message containing a malicious link. The following link was used to demonstrate: “attacker.com”

Fake SMS message containing the link "https://attacker.com":

ITKarma picture

Looking through the original TikTok application code on the Android mobile platform, it was found that it has a “deep linking” function that allows you to open a hyperlink from the application in the phone’s browser.

The main connections through which the application accepts requests are “https://m.tiktok.com“ and “musical://“:

ITKarma picture

Attackers using the above functionality can intercept the request and send their own, which will contain links to the malicious servers mentioned above. Since the user link will contain the “url” parameter, the mobile application will open the web browser through the phone’s browser and go to the web page recorded in the parameter from the mobile application code. Thus, any request will be sent along with the user's cookie.

The following link was used to demonstrate:

ITKarma picture

The deep link redirection in the app itself was demonstrated below:

ITKarma picture

Subsequently, the mobile application opens a web browser (browser) window and switches to the created web server: “http://10.10.10.113:8000”. With the help of which later it will be possible to send requests on behalf of the user.

User redirection


In the course of research, it was discovered that a potential victim, by clicking on the sent link, will be redirected to a malicious website. The redirection itself makes it possible to carry out such attacks: cross-site scripting (XSS) attacks, cross-site request forgery (CSRF) and disclosure of user confidential data.

A redirect occurs when an attacker sends the original login link received from the official Tiktok domain: login.tiktok.com .

It was discovered that a request to login to the system may contain an HTTP GET redirect_url. Therefore, an example authentication request, which will eventually redirect the user to another site after a successful login, looks like this:

login.tiktok.com/?redirect_url= www.tiktok.com

The changed value inside ‘redirect_url’ will redirect the potential victim to the tiktok domain web page in accordance with the following Regex expression (performed only on the client side):

ITKarma picture

The regex expression does not check the value of the redirect_url parameter properly. Rather, it checks the value of the parameter containing the text "tiktok.com". This makes it possible to redirect to another domain name that contains "tiktok.com".

For demonstration purposes, an attacker can redirect users to the website www.attacker-tiktok.com “and perform additional attacks aimed at stealing personal information.

ITKarma picture

Crossite Scripting (XSS)


The study found that the Tiktok subdomain "https://ads.tiktok.com" is vulnerable to XSS attacks, in which malicious scripts are injected into other safe and reliable websites. The help center, available at "https://ads.tiktok.com/help/", contains information on how to create and publish ads on Tiktok. Here, the point of introducing an XSS attack into the search function was also discovered. When an attacker tries to perform a search, an HTTP GET request is made to the website server with the q parameter and the search string as the value to search.

The following image shows a typical search query executed by an attacker while searching for the word " pwned ":

ads.tiktok.com/help/search?q= pwned

ITKarma picture

And here, an attacker can try to inject JavaScript code into the q parameter (the entered value has URL encoding). To demonstrate, a request was created: open a window in the browser with the warning “xss”:

ads.tiktok.com/help/search? q =% 22% 3Cscript% 20src% 20% 3Djavascript% 3Aalert% 28% 29% 3E

ITKarma picture

TikTok user account management


Cross-site request forgery (CSRF)


After completing previous tests and analyzing all the information, you can use JavaScript code in two ways: in the form of XSS attacks or redirecting the user to a malicious website that will send all requests to Tiktok using the user's cookies.

Due to the lack of a mechanism to prevent counterfeiting of anti-cross-site requests, it will be possible to easily run the JavaScript code provided and perform actions on behalf of the user without his consent.

Delete video


“Delete video” can be performed using an HTTP GET request using the link below, replacing the video ID:

api-t.tiktok.com/aweme/v1/aweme/delete/? aweme_id= video_id .

Using a JavaScript request, an HTTP GET request is sent to delete the video, specifying its identifier. The following image shows the request to delete the video with the identification number " 6755373615039991045 ":

ITKarma picture

Confirmation from the server that the video was successfully deleted:

ITKarma picture

Create a video


To create a video on a user’s profile, first you need to send a request to create a video in your stream. Video creation requests will generate a new video identifier. Next, copy the generated link to create the video and send an HTTP POST request on behalf of another user.

The following is a request to create a video in the potential victim’s feed:

ITKarma picture

In parallel, we get such a positive response from the server:

ITKarma picture

Subscribe to selected user


Attackers who want to become subscribers to a user account first send a request. And then the user must approve the request. In order to do this, the same method will be used to send a request and approval on behalf of a potential victim.

An approval request is sent via HTTP POST via the following link:

api-m.tiktok.com/aweme/v1/commit/follow/request/approve

Inside the POST request itself, there is a ‘from_user_id’ parameter containing the identifier of the user who wants to be the user’s subscriber.

Change the value of the ‘from_user_id’ parameter to your own and send a request to the TikTok server:

ITKarma picture

At this point, the attacker becomes a subscriber to a potential victim:

ITKarma picture

Change video sharing settings


To transfer a video from private to public, you need to get the video ID itself. Obtaining a video identifier is possible only when the attacker is a subscriber to a potential victim, so first we complete the previous step and move on to the next.

After an attacker can obtain a private video identifier, it is possible to change the video privacy settings by sending an HTTP GET request on behalf of the user:

api-m.tiktok.com/aweme/v1/aweme/modify/visibility/? aweme_id= video_id & type=1 & amp; aid=1233 & amp; mcc_mnc=42503

The most important parameters of this link are ‘type’ and ‘video_id’. ‘Video_id’ is the ID of the video whose access you want to change. And ‘type’ is the video accessibility mode. With ‘type=1’, the requested video will be changed to the public mode, and ‘type=2’ will make the video private.

The following shows the HTTP GET request for changing the video identifier " 6755813399445261573 " from private to public:

ITKarma picture

The server’s response shows that the video has become public and accessible to everyone:

ITKarma picture

Exposure of Confidential Information


Research has shown that you can execute JavaScript code using XSS or other methods to obtain sensitive information. Several API calls were found in the sub-domains "https://api-t.tiktok.com" and "https://api-m.tiktok.com". Requests to these APIs will help to reveal confidential user information, including email address, payment information, date of birth, and more.

When trying to use the vulnerabilities described above via JavaScript, a problem was discovered in the form of a protective mechanism against cross-resource sharing (CORS) and security restrictions in the Same Origin Policy (SOP).

Subdomains of these APIs allow you to request only certain sources (for example, www.tiktok.com ). As an example, the API request that was made with “https://cpr.checkpoint.com“:

ITKarma picture

As a result, the response from the server was blocked due to security restrictions:

ITKarma picture

Thus, it was necessary to find a loophole for circumventing the CORS and SOP security mechanisms in order to extract all the private information stored there.

In a subsequent analysis, it was discovered that TikTok servers implemented an unconventional JSONP call, which was used to access user data through the API, bypassing CORS and SOP security restrictions. This method will allow you to "borrow" all the confidential user information through JSON data using an AJAX request.

The following example shows an AJAX request for all the confidential information associated with a user's wallet.The request contains a callback parameter, and its value is the JavaScript function that will be executed (myCallBackMethod):

ITKarma picture

The example shows data containing all the confidential information received from the API. Confidential data has been obtained and can be sent to the attacker server:

ITKarma picture

ITKarma picture

Output


Manually collecting all the necessary metadata from any user manually is not difficult and without special knowledge is available to everyone. More convenient and simple replacement of manual actions is provided by stand-alone tools and automatic requests for profiles.

After the analysis, it became clear that not all applications are safe for storing personal information. The use of vulnerabilities such as SMS spoofing and analysis of the HTTP network protocol allow expanding the usual capabilities of using OSINT technologies in the analysis of user data. Using the usual HTTP protocol instead of HTTPS makes it possible not only to view incoming and outgoing traffic, but also to receive TikTok user requests and information: video, user activity, his video and photos. And incorrectly configured channels for processing and transmitting information, which subsequently contribute to spoofing or possible DDOS, help intercept accurate phone numbers for further reverse search of all connecting social user accounts.

So how is it right to ensure confidential protection of your information in TikTok? If we talk about collecting public information, then one of the ways is to enable the settings of a private account, which allows you to hide all information from public access. In the case of the demonstrated attacks, the answer remains the same: If you want to use it, the responsibility lies only with you.

An analysis of all the demo attacks revealed the risks associated with one of the most popular and widely used social applications in the world. These attacks reinforce the urgent need for privacy and data security in the virtual world of the Internet. Our data is stored in a large number of networks and the most valuable information is stored in them.

Source