基于抖音共同联系人的群体用户关系分析

Analysis of Group Users Relationship Based on TikTok Mutual Contacts

很多流行的社交App都有展示用户之间的共同关系的功能,然而,共同关系的暴露也可能导致用户隐私安全问题的发生.以中国最知名的短视频软件抖音为研究对象,分析了其共同联系人功能存在的用户隐私泄露的安全漏洞.提出了一种针对群体用户的漏洞利用和攻击方式,该攻击方式可以达到的效果是,即使群体中某些用户设置了不允许通过手机号找到自己,攻击者仍然可以利用已知的群体用户的手机号码和群体用户之间的内在联系获得这些用户的抖音账号.攻击者在获得群体中尽可能多的用户的抖音账号后,可以对这些用户相互之间的关注信息、通信录信息、视频点赞和评论信息进行收集,并利用这些信息计算群体用户之间的关系,为发起进一步的有效攻击提供一定的辅助.提出了描述用户关系的2个指标——亲密度和群体活跃度,并给出了这2个指标的计算方法.通过对现实社会中3个真实群体的实验,验证了用户关系计算的有效性,分析了对用户所造成的安全威胁,并给出了安全防范建议.

Many popular social apps have the function of showing mutual relationship between users.However,the exposure of mutual relationship may lead to the occurrence of user privacy security problems.Taking China s most famous short video software TikTok as the research object,a privacy disclosure security vulnerability in the mutual contacts function of TikTok is analyzed.A method of vulnerability exploiting and attacking for group users is proposed.The attack effect is that even if some users are not allowed to find themselves through their mobile phone numbers by some settings,an attacker can still use the known mobile phone numbers of group users and the internal connections among group users to get these users TikTok accounts.After getting as many TikTok accounts of the group users as possible,attackers can collect the following,contacts,video likes and comments information among group users,and use this information to calculate users relationship,which can provide some assistance for launching further effective attacks.Two indexes—intimacy and group-activeness—are proposed to describe users relationship,and the calculation method of these two indexes is given.Through the experiment of three real groups in society,the effectiveness of user relationship calculation is verified.In the end,the security threats to users are analyzed and the security prevention suggestions are given.