OSINT Investigations on TikTok

Already highly popular with younger generations, TikTok has become more widely known in recent months as additional users flock to the platform. The app allows users to record and share short videos as well as comment and like other user’s videos. A browser version of the application exists, however it is far more stripped down and requires a little bit of knowledge in order to work around and utilize it to the fullest potential.

This guide will be focusing on how to exploit TikTok from a computer browser, rather than utilizing the mobile app, and all without the need for a TikTok account. I will provide references to what information can be obtained, as well as provide some of my TikTok-specific tools and techniques for getting the most information out of a target’s account.

Profile

A user’s profile will be where most of the collection and analysis for an investigation will occur as it contains all the publicly viewable information on the account. A user’s TikTok profile can be viewed in a web browser by adding their username to the end of the following URL: https://www.tiktok.com/@. The user’s profile page can include multiple points of exploitation including: a Profile Photo, Nickname, Unique Id (@), Verified Badge, a Description, as well as the account’s total follower, following, and heart (like) counts. The user profile also includes the videos posted by the account.

Profile: Profile Photo

Unlike some social media sites where users may try to mask their identity, many TikTok users seem to have no issues in using real photos of themselves for their accounts. This seems especially common on sites where users are vying to go viral and/or obtain a large following.  As always, one of the first things I recommend is running the user’s profile photo through a reverse image search tool such as Google, Bing, Yandex, or Tineye. You can obtain the URL of the photo by right-clicking the photo and selecting the Inspect Element option. You will see a bit of code similar to the below which contains the full-size URL of the photo within the parenthesis:

background-image:url(https://p16.muscdn.com/img/musically-maliva-obj/1638197514769414~c5_720x720.jpeg)

Using this link at images.google.com I quickly found the account owner on multiple other social media websites as they had the same photo posted to those accounts.

In addition to using the profile photo URL to run the reverse image search you can also throw it into your URL bar and view the full-size image, such as below. This makes a big difference when trying to view details within the photo which may be unrecognizable from just the profile thumbnail shown on the account.

Profile: Nickname

The user’s Nickname is the top name on the account profile and is in a larger font than the rest of the text. Multiple accounts can have the same Nickname so there are unlikely to be unique to the user. That being said, there is a split among how user’s treat this field. Sometimes they will use it as a username, whereas others might display their full or partial name in this field. In the example above this user is likely taking the second option, and using it to display what appears to be his first name (Sam). This would help later on when trying to fully identify the user.

Profile: Unique Id (@)

Directly under the user’s Nickname will be their Unique Id, which will always begin with an @ symbol. Unlike Nicknames, this is a unique identifier that cannot be used on more than one account. This should be treated like a username and you should attempt to find accounts on other websites utilizing the same Unique Id. You can use one of many username search websites out there, or you can run the username through different search engines with quotations (ex “kingjomanji”). You should use multiple tools here as each one has their own weaknesses. For example, Google does not seem to consistently scrape all Instagram accounts, though it does scrape some of Instagram’s third party sites (such as pictame). This can be hit or miss depending on the age of the account.

Using our example above I ran the username through Google which caught the Instagram account but didn’t see anything else conclusive on additional platforms at that time.

Profile: Verified Badge

TikTok users may also receive a Verified Badge which will be displayed under the Unique Id on their profile as a checkmark followed by "verified account". Most verified accounts will belong to celebrities or other social media influencers that tend to have a large number of followers and hearts. This badge does not offer much in terms of investigatory value other than helping confirm that the account is likely who they claim to be.

Profile: Following

A user’s following is the list of all users that the account is currently following. Viewing the accounts a user is following can be a finicky task if you only have a computer and no TikTok account. TikTok users on the mobile app can click on a user’s following and it will display the list of accounts they are following. Unfortunately, there does not appear to be a native way to replicate this on the TikTok website. That being said, there is a 3rd party website (pictured above) which allows you to view a user’s following here. Not all accounts are held here, but it is always worth checking out.

A user’s following tends to hold more value than their followers, as they are choosing to follow these accounts. This shows that they either have an interest in their accounts or perhaps know those people in real life or on another platform. This is also great for establishing a pattern of life if, for example, they tend to have followings that all share specific interests. In our example above, we can see that Howie Mandel has only followed 18 accounts, and they all appear to be celebrities or some form of social media influencer accounts.

Profile: Followers

A user’s followers list will contain list of all users that the account is being followed by. Like a user’s following, viewing the user’s followers can be a finicky task if you only have a computer and/or no TikTok account. User’s with an account and the TikTok app can click on a user’s followers on their profile and it will display the list of accounts they are being followed by. As with following, there does not appear to be a native way to replicate this on the TikTok website. Instead, I recommend the same 3rd party website which allows you to view a user’s list of followers here. Be advised that not all accounts will appear on this site.

Followers may not provide as much information as a user’s followings, though that isn’t to say it has no value. Searching this list, especially on smaller and less known accounts, may assist in finding users the account owner knows in real life or on another platform, thereby making it easier to narrow down their location or find other accounts to exploit. We can see in the example above that this account has over 25 million followers, meaning that we cannot simply go through them one by one, and should look for other areas to exploit instead.

Profile: Hearts/Likes

The total number of a user’s received hearts/likes will appear in their profile on the same line as their followers and following count. This is the total count of all hearts given by other user’s on each of their videos. For investigative purposes there is not too much value in the hearts count other than trying to determine how established or legitimate the account is. That being said, if you want to view all of the videos a user has hearted / liked, you can do so on the same 3rd party website used for followers and followers here.

Using the example above we can see that the account gave hearts/likes to nearly 200 videos, and while many of them have flags from different countries, the British flag appears most often and may be an indication of where the account owner is from or currently resides. It is also possible that the account owner just happens to be interested more in British creator accounts, and would require more information before making a determination.

Profile: Biography

A user’s biography section is an area that allows the user to provide a quick blurb about themselves and will appear under the section showing their following, follower, and heart counts. Although this area can be left blank by the user, the biography can be one of the most information-rich portions of a user’s profile. Examples of some useful information I’ve found in this section include: additional account names for other platforms, locations, real names, etc.

In the above example I was able to use the Facebook name listed in the user’s biography section, along with the profile photo which depicted her Facebook account, to locate her on Facebook. With such a common name it would have been difficult to match her otherwise, especially with many of the accounts sharing the same name being in the same age range as our TikTok user.

Videos

Videos are the backbone of the TikTok platform and where social interaction occurs via likes/hearts and comments. Users may post videos of up to one minute in length; giving investigators plenty of time to look through multiple videos without being bogged down by unnecessarily long videos like they might encounter on other platforms.

The URL for each video is easily searchable within the source code which makes it simple to download the video for later without any 3rd party tools. You can right-click and select Inspect Element, and then search for “playwm” to find the URL to the video which will appear similar to the URL below. From there you can right-click the video and select Save Video As.

https://www.tiktok.com/node/video/playwm?id=6747120899637382402&_signature=x.khSAAgEB1bUV2rbziwZcf5IlAAJpO

Videos also contain a thumbnail, which can be reverse image searched to find it on other platforms, or downloaded for later. To find this thumbnail, repeat the same steps above to download the video except search for a url in the source code that follows “poster=” (This will appear above the link for the video). This will look like:

poster="https://p16-tiktokcdn-com.akamaized.net/obj/v0201/gm01rv34mr95askb9hmb0000a152070v0200001e05"

Video: Text

When uploading videos, users also have the option to add a bit of text to the post.  This text will appear above the music and like and comment counts of the video. This section can be used to provide more background information on a video and can often contain location information and/or names or usernames of friends or others that might be depicted in the video. In our example above we can see “ioawastate” was included in the text section, which provides a really narrow search area to continue with.

Video: HashTag

Hashtags on TikTok work in the same manner as other social media platforms. Users can add hashtags to their videos which allow you to quickly find additional videos with related themes or content on the site. You can search for a hashtag on the website by adding it to the end of the following link: https://www.tiktok.com/tag/ . You can then see all public videos posted that share the same tag. Hashtags might give clues on the people within the video or the video location, such as in our example above which shows many videos posted from around Los Angeles. Knowing the city, state, or country that a video was shot in makes it far easier to find the exact location, or narrow down your list of possible persons.

Video: Music

Users may add short clips of music to their TokTok videos, the information of which will appear below the text and hashtags on the video. In most cases the music information will include the artists and the title of the track. Keep in mind that users may also post their own audio rather than using music. This will appear like the second example above where it says “original sound -” followed by the user’s unique id. Although original audio uploaded by the user might help in identification, as it should be unique to the video and might give us a glimpse into how the user sounds, music sampled from elsewhere has little investigatory value in most cases. It might help in establishing a pattern of life or, if they seem to be very interested in a specific musician, might help confirm other accounts based on their content.

Video: Likes/Hearts

The total number of likes/hearts and comments will appear right above the comments section on a video. This number will assist us in determining how popular a specific video posted is. For investigative purposes this holds little value unless we are trying to determine, based on the average likes per video, at what point a specific user became popular. Also be aware that this is the full number of likes only for that specific video, not the overall count like what appears on a user’s profile. This section can be treated the same way as the overall heart/like count we looked at earlier.

Video: Comments

Users may make comments on videos, which may help in further identifying the user that originally posted the video. This can be done by looking at the profiles of users that often comment on that user's videos to see if they leak any location or identification data. Comments might also give us more information about the video, such as people asking where the video was shot, like in the above example where multiple comments suggest that the video was shot inside of a Target store.

Conclusion

Hopefully you are now ready to kickoff your first TikTok investigation or perhaps learned some additional techniques for your next one. Before starting be sure to take a look at the TikTok OSINT Exploitation Flow Chart, as well as my TikTok Investigative Tools that I have put up on my Github. If you have any questions or need assistance with a particular tool please feel free to reach out to me on Twitter.