Researchers at cyber-security specialist Check Point Research have identified a security vulnerability in TikTok’s ‘Find Friends’ feature. If left unpatched, the vulnerability would have enabled an attacker to access a user's profile details and the phone number associated with their account, making it possible to build a database of users and their related phone numbers for use in malicious activity. Certain profile settings Profile details that were accessible via the vulnerability include the user’s phone number, TikTok nickname, profile and avatar pictures, unique user IDs, as well as certain profile settings, such as whether a user is a follower or if a user’s profile is hidden. Profile details that were accessible via the vulnerability include the user’s phone number Researchers found the TikTok app enabled ‘contacts syncing’, meaning that a user can sync their contacts on their phone to easily find people they may know on TikTok. This makes it possible to connect users’ profile details to their phone numbers, if those users have linked a phone number with their account or logged in with a phone number. Registering physical devices With those phone numbers and profile details, attackers could potentially access further information related to users, obtained outside of TikTok such as searching for other accounts or data available. The process is as follows: Step 1 – Creating a list of devices (registering physical devices) – each time it is launched, the TikTok app performs a process of device registration to make sure that users are not switching between devices. Step 2 – Creating a list of session tokens which do not expire for 60 days – during the SMS login process from a mobile device, TikTok servers validate the data by generating a token and session cookies. Researchers found that the session cookies and the token values expire after 60 days which meant they could use the same cookies to login for weeks. Step 3 - Bypassing TikTok’s HTTP Message Signing – researchers found that a threat actor can successfully manipulate the sign-in process by bypassing TikTok’s HTTP Message signing, thereby automating the process of uploading and syncing contacts at scale, which would eventually build a database of users and their connected phone numbers for the threat actor to potentially target. Private user data Check Point research responsibly disclosed its findings to ByteDance, the maker of TikTok. A solution was responsibly deployed to ensure TikTok users can continue using the application safely. Oded Vanunu, Head of Products Vulnerabilities Research at Check Point said: “Our primary motivation was to explore the privacy of TikTok. We were curious to see if the TikTok platform could be used to gain access to private user data.” An attacker with that degree of sensitive information could perform a range of malicious activities" “We were able to bypass multiple protection mechanisms of TikTok, that led to privacy violation. The vulnerability could have allowed an attacker to build a database of user details and their respective phone numbers. An attacker with that degree of sensitive information could perform a range of malicious activities, such as spear phishing or other criminal actions. Our message to TikTok users is to share the bare minimum, when it comes to your personal data, and to update your phone’s operating system and applications to the latest versions.” Identifying potential issues TikTok statement: “The security and privacy of the TikTok community is our highest priority, and we appreciate the work of trusted partners like Check Point in identifying potential issues so that we can resolve them before they affect users. We continue to strengthen our defences, both by constantly upgrading our internal capabilities such as investing in automation defences, and also by working with third parties." CPR has now twice found security flaws in TikTok. On January 8, 2020, CPR published a paper on a set of vulnerabilities that could have allowed a threat actor to access personal information saved in a users' accounts, manipulate users' account details, or take actions on behalf of a user without their consent. Mobile data and analytics TikTok is reportedly adding 100M users monthly, and has surpassed 2 billion downloads globally, meaning it has nearly tripled in size since 2018. In 2021, mobile data and analytics firm App Annie expects TikTok to not only join the 1 billion monthly active user (MAU) club alongside Facebook, Instagram, Messenger, WhatsApp, YouTube and WeChat; it also predicts TikTok will sail past the 1 billion MAU milestone to reach 1.2 billion average monthly active users.
Check Point Research is conducting an ongoing study into cyber threats in the run-up to the 2020 US elections. Initial findings of the study show surges in the number of malicious domains related to the election. Furthermore, researchers at CPR have outlined their top 6 attack scenarios to most watch out for leading up to election-day. Check Point researchers conducted a study on election-related domains between the months of June and October 2020. Compared to other domains registered during this time period, election-related domains have a 56% higher chance of being malicious. Since the middle of August until now, Check Point researchers documented an average of 1,545 new election-related domains registered each week, presenting a 24% increase from previous months. In the month of September, 16% of all election-related domains were found to be malicious. Spike in Malicious Election-related Domains The upcoming Presidential Election has already been marked by storms of controversy over misleading claims" Oded Vanunu, Check Point’s Head of Products Vulnerabilities Research said: “The upcoming Presidential Election has already been marked by storms of controversy over misleading claims and the potential for vote-tampering. Now threat actors are ramping up their efforts to manipulate the results and cause additional disruption, by creating fake election-related websites with the aim of spreading false news and propaganda, or of stealing users’ details. With just 20 days to go until election day on 3rd November, we urge people to double-check the election-related resources they visit online to ensure they are genuine and trustworthy, and to avoid the risk of having their personal data phished.” Check Point also outline the top 6 possible election cyber-attack scenarios: DDoS on the US Postal Service A distributed denial-of-service (DDoS) attack is a malicious attempt to disrupt the normal traffic of a targeted server, service or network by overwhelming the target or its surrounding infrastructure with a flood of Internet traffic. The postal service consists of conveyors, sorters, scanners, servers and databases that would have to function together to allow millions of voters to exercise their right to vote. This digital system, unfortunately, could be a target for cyber-attacks. A denial of service attack on postal branches in various states could result in significant delays in the delivery of votes to the relevant authorities for tabulation, as well as lead to questions about the integrity of the results and erode public confidence in the democratic process. Prevention: It is critical that the national cyber authorities implement DDoS mitigation solutions that have the capabilities to protect and prevent such destructive attacks. Such protection must secure the infrastructure of the service, and have the ability to automatically detect and mitigate known and zero-day DoS/DDoS attacks in real-time. Fake News becomes a Central Attack Vector The claim of ‘fake news!’ surrounding contentious issues has become a new attack vector over the past four years The claim of ‘fake news!’ surrounding contentious issues has become a new attack vector over the past four years without people really understanding its full impact. Following the 2016 election, U.S. officials accused foreign actors of trying to influence the elections through the spread of false information, fabricated news items, and misleading data aimed at shifting public opinion in favour of the candidate of their choice. Prevention: Beware of content one engages with. Look out for and check links one receives. Use info from trustworthy sources. Don’t open emails from unknown sources. Attacks on the Communication of the Result One memorable attack impacting the election result-publication systems occurred in the 2014 Ukrainian elections, when government experts detected and removed malware designed to change the vote results that were supposed to be presented. The malware had been designed to portray the ultra-nationalist, right-wing party leader Dmytro Yarosh as the winner with 37 percent of the votes instead of the 1 percent that he actually received. Although the malware was removed and the correct results were presented on the CEC website, Russian Channel One incorrectly reported that Yarosh was leading with 37 percent of the votes and displayed a screenshot from the CEC showing these fake results. This can be simply overcome by establishing alternative communication channels with public media and press agencies. Meme Warfare "Meme camouflage" aims to defeat the algorithm of social media by flooding it with memes "Meme camouflage" aims to defeat the algorithm of social media by flooding it with memes that spread the desired messages. Meme channels, such as "Meme ware 2020 #9" and "Election win memes" are channels that were built with the target of flooding social media platforms on the night of the elections, even if the results have been tallied. The actual "game plan" of such channels is to bypass the way social media deletes messages - by simply flooding hundreds of them and get at least some of them stay online undetected by social media admins. This is very likely to happen on election night itself. Prevention: National cyber authorities must make sure their result publication systems contain malware defence that include layers of safeguards, including continuous network scans. Today's next generation firewalls can protect against viruses, worms, Trojans, spyware and ransomware, and have the ability to identify and completely block malware before they enter the network and inflict damage. Leaking Documents Snatched from the Opponent Document During the 2016 elections, hackers affiliated with foreign actors infiltrated the information systems of the Democratic National Committee (DNC), the Democratic Congressional Campaign Committee (DCCC), and Clinton campaign officials, notably chairman John Podesta, and publicly released stolen files and emails through WikiLeaks, among other outlets, during the election campaign. Russian government officials have denied involvement in any of the hacks or leaks creating frequent negative news cycles. On the other side of the political map, the RNC (Republican National Committee) was not immune to such attacks, on January 10, 2017, it was revealed by the FBI that Russia succeeded in "collecting some information from Republican-affiliated targets but did not leak it to the public. Prevention: To avoid data breaches, passwords should be maintained on all accounts, enforce password policies within the organisation, enforce information security awareness and education, use authentication and endpoint security on which data is stored. Malicious election-related domains As the FBI recently warned, “Spoofed domains and email accounts are leveraged by foreign actors and cybercriminals and can be easily mistaken for legitimate websites or emails. Adversaries can use spoofed domains and email accounts to disseminate false information; gather valid usernames, passwords, and email addresses; collect personally identifiable information; and spread malware, leading to further compromises and potential financial losses.” Prevention: Check for authentic URLs. Verify one using a URL from an authentic website. One way to do this is NOT to click on links in emails, and instead click on the link from the Google results page after searching for it. Watch for shortened links. Often, hackers will abridge a url once one clicks, fooling a person into thinking they are clicking through to something legitimate. Furthermore, beware of lookalike domains, spelling errors in emails or websites, and unfamiliar email senders.
Cloud-based access control and occupancy management to safeguard workplacesDownload
Wireless Access Control eBookDownload
How security systems ensure healthy workplaces during COVID and afterDownload
How are AI and analytics changing physical security, and what should we expect next?Download