Creating new perspectives since 2009

Young Syria man finds security loopholes in TikTok

June 14, 2024 at 3:39 pm

Baraa Habab, a 27-year-old software engineer from Syria

A young 27-year-old Syrian man, Baraa Habab, continues his achievements in the field of software. He recently discovered a serious loophole in TikTok involving manipulating the percentage added to the player rounds by gift-givers. This would mean that if someone sent round players 1,000 points, TikTok bank would automatically pay the player the amount due for 10,000 points.

Young Syria man finds security loopholes in TikTok

Young Syria man finds security loopholes in TikTok

This loophole is considered dangerous because TikTok Bank is overpaying players from its own account.

After getting proof and demonstrating it live, software engineer, Baraa, ended the live and showed everyone that 14,200 points were added to his account, even though the round only earned 1,422 points.

Baraa travelled to Washington and met with the TikTok support team at its headquarters in Washington to close the loophole within 72 hours. He received a $10,000 reward, with the news being widely shared on TikTok on 7 February.

Baraa Habab says he is “striving for a society protected from the endless software loopholes in the digital world”.

READ: Palestinian wins Microsoft award for the sixth year in a row

In 2022, Baraa had previously discovered a critical loophole in the official website of the insurance company of most Egyptian banks, such as Banque Misr, Al Ahly Bank, Cairo Bank, Abu Dhabi Islamic Bank and others.

The loophole was related to reflected cross-site scripting (XSS), which allows hackers to inject “malicious codes” into the site until they reach the database, then instructs the database to show the information stored in it in the form of an “error message”. This loophole is used to steal cookies or the unique session address of the user’s browser, known as the session ID.

This is the third loophole discovered by the genius Syrian programmer, Baraa Habab, as he had previously discovered security loopholes on Facebook in 2017, and repeatedly wrote to them to inform them of the loophole, but they ignored him. He then did something Facebook did not expect; he logged into many public and private pages on Facebook, without knowing the username, email, or password and without even corresponding with the owners of the pages.

After that, Baraa tried to communicate again with the Facebook administration to inform them of this loophole, but to no avail. He did not receive any response from them, and they continued to ignore him. As a last resort, he took another escalatory step to prove to them that he actually discovered a loophole, by logging into the account of a Syrian porn actor and wrote the post, “We are not honoured that you are Syrian!”

He logged on to other public Arab and foreign pages, to send Facebook his new evidence, but he was, once again, met with neglect and lack of interest. He decided to challenge them to show them his discovery was valid, so he logged into the account of the Facebook co-founder, Chris Hughes, and wrote a post in English and Arabic, saying “There is no such thing as 100 per cent protection, there is always a missing loophole.”  Facebook was forced to listen to him, and he had important documents through which he was able to convince them that they had a security loophole in their website. They thanked him and employed him as a “security guard”, as well as added his name to the list of honour.

After his employment, he discovered the second loophole in 2018, which allows him to violate the privacy of millions of users without their knowledge. He managed to remove a new technical loophole that enables the hacker to see any photos, videos or stories that the user downloaded from Facebook on his device without posting.

READ: UNRWA relaunches IT Service Centre in Gaza

Such a weakness is very sensitive to a large company like Facebook to protect the privacy of its users and its reputation, which would have been subjected to a great upset had it not been discovered by Baraa Habab.

Baraa greatly assists companies to ensure protection and information security, and also helps many people harmed by fraud on Facebook, as well as helping people recover their pages.

He also works to provide information security content to educate people about electronic blackmail and create a safe space for all accounts and affairs on the Internet, in general, and social networking sites, in particular.

Baraa Habab is a young man who emerged from suffering, as the situation in Syria forced him to abandon his studies at the College of Informatics Engineering and leave his country as an immigrant, before completing his studies and realising his dream. However, he managed to turn this curse into a blessing, and his dreams were not crushed. Instead, he accomplished something beyond his dreams of graduating with a degree in Informatics Engineering. He worked hard on his own, enduring the hardships and harshness of diaspora and made scientific discoveries, far from the many of the theoretical details that Arab universities are still teaching. His passion for the world of programming took him further than he expected, so he worked patiently and diligently until he left a great mark in the field of information security systems.

Perhaps Baraa Habab’s success story will motivate and inspire many successful, aspiring Arab youth, as there are many of them in our Arab societies.

OPINION: The Visual Arts Forum nurtures Palestinian youth into the world of art 

The views expressed in this article belong to the author and do not necessarily reflect the editorial policy of Middle East Monitor.