How Did I Crack X-Gorgon REST Security Layer OF TikTok — Part 1
TikTok was originally called “Douyin” in China. Developed by Chinese company called ByteDance. However nowadays TikTok is one of major video sharing platform across the globe.
First of all I have to tell you I am not a full time TikTok user, but I created few accounts to observe these security issues and stuff starting from few years ago.
When I was school, I’m very curious at this TikTok because I remember scraping data from TikTok was high demand at those days. And still. And I worked on TikTok data scraping on Upwork in high scale. Like harvesting few millions of users within days. So literary I earned few thousands of $$$ doing that.
Until now , I have being researched on this TikTok security layers almost 4 years. So It’s hard to write all of findings and shits in single article. So this will be a massive series of article and I hope you will be patient. Some of findings and some of technical contents I have to hide and freeze in my brain because of the security concerns. Hope you will be fine with that.
The reason of publishing these set of articles, recently I found some guys won bug bounty after they reporting TikTok security breaches , the thing is they reported same loopholes I found few years ago. It was totally my fault to not report them and selling user data and manipulate some of data points instead of reporting to TikTok. Anyway I was act as shitty foolish, So I deserved it. Anyway I have no hard feelings with those who reported same stuff I found because you worked as real gentlemen. Hats off guys.
So Let’s talk about the real matter,
Initially TikTok just came as only mobile application. And few years after they released TikTok Lite App. Meantime they merged TikTok Trends into TikTok website as well. But nowadays TikTok Web has almost same features of their native app. So talking their security layers we have to talk these 3 platforms individually.
- TikTok App
- TikTOk Lite App
- TIkTOk Web
In upcoming articles I will deeply discuss about these 3 platforms and what have I found and How did it and critical datapoints that makes me so much curious.
What the fuc#$% is this X-GORGON ?
Talking with TikTok main App and TikTok Lite app, RESTFul API is the way they communicate with their servers. But unlike webApps we cant intercept those API requests as simple way. I won’t write about that in this article because mainly I am focusing on security issues they made.
If you are familiar with semantic RESTful API standards, You already know what is the meaning of prefix “X”. When it comes to API security and Standards semantic API, prefix “X” using for custom headers that injected by request origin. So “X-Gorgon” is kind of custom header that injected by TikTok App internal auth interceptors to secure their API Wrapper. So backend servers can validate the request with this “X-Gorgon” header and reject it if invalid.
If you tried to reverse TikTok private API wrapper, It will be not much big challenge. You just need to tweak some android network certificates and forward your network traffic though man-middle proxy server then you will be able to capture all of shits you want. But nowadays TikTok has more security and Latest Android API levels will wont let you to do that kind of manipulations. probably you have to consider lower android API Levels which is less security and vulnerable to network interceptors. As a number I can recommend API levels below 22 is better for this.
lets dive into main topic again,
If you successfully reached into API endpoint. you can request it again and again you will get success response and datafull payload from TikTok servers. Nothing to wonder. Because you didn’t change anything. Until you change anything you might be like “ Howlyyy Shittt I hackked TIKTOKK”. 😏
Hehe , Unfortunately you are not. 💁
Just try to change payload and send it again you will be change your mind. Like , “I had it….I had it... MF……….” 😂
If you check list of headers that you captured. Among the tons of headers you can find major 2 security headers that use to validate request.
- X-Khronos
- X-Gorgon
If you checked carefully about “X-Khronos”. Probably you feels like familiar. Because its 10 digits only. And it’s starting from 15. This was old data set I collected around in mid of 2020. So Damn yeah, Its Timestamp. X-Khronos is the timestamp of time whenever you execute it.
But X-Gorgon is the issue, Its kind of hash signature that unique to each payload. Including query parameters + headers + payload. So even if you change single character of one of above sections, you need new X-Gorgon token to prove it validity. So literary it means, If you able to generate this X-Gorgon header dynamically you have all the balls of ByteDance’s engineers. 😂
The problem is its very harder to predict this X-Gorgon hash generator function. TikTok generate that token with function called leviathan. If you able to crack this now , probably you will get rich because in black market there are tons of guys willing to pay tons of $$$ to this X-Gorgon algorithm. See .. ? I am still trying to sell this shit 😂 … Just kidding.
Anyway few years ago leviathan function just took only 2 parameters. Including me , some of other reverse engineers able to crack it successfully. yeah it means we can generate X-Gorgon token dynamically. But suddenly TikTok changed their leviathan function to 3 parameter signature. Howlyy shit.
In next article , I will show that smali code(Intermediate Byte code) taken from Dalvik engine. And Analysis I did and predicted flows that I have taken. There will be lot of critical datapoints so I think I have to write up-to 15 articles to expose my all findings about X-Gorgon I did since years. Anyway still everyone trying to crack that new leviathan, But there are few ways to bypass X-Gorgon token. I will publish it when this X-Gorgon series done. I don’t want to write this article this much long. I hope you get brief idea about this TikTok X-Gorgon matter. So,
See you in next article. Bye 👌
*If you are trying to do these steps and follow, please take it at your own risk. I wrote this article for educational purpose. I don’t want to publish this as formal security research. But if you are copying this content directly and posting some where please leave credit and reference to this original article.
If I publish mistakenly or any thing directly affecting user security or ByetDance security and if you are responsible person for above mentioned company , Let me know I will remove those content ASAP.
