Resources
People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!
TikTok fixes privacy issue discovered by Check Point Research
Eran Vaknin, Alon Boxiner - CheckpointPosted 5 Years Ago- The syncing contacts feature is common on major applications; it allows you to find other users on with your contacts. Although this is a cool feature, this needs to be restricted in order to prevent abuse. If this feature was abused, an attacker could steal phone numbers, emails and other information associated with a TikTok account.
- TikTok attempted to restrict access to this API by signing the messages and have a limit on the amount of daily contacts syncs. But, by using Frida to hook the message signing functionality, it would be possible to resign the requests.
- Setting this up in an Android emulator made the process for signing with a large amount of devices makes this even easier. Because the restrictions were not great enough, this process could be used in order to completely automate the process to steal contacts from TikTok.
- To me, the moral of the story is to check the rate limiting restrictions even if they are there. They may not be sufficient for the test.
