Over the past week, attackers have hijacked high-profile TikTok accounts belonging to multiple companies and celebrities, exploiting a zero-day vulnerability in the social media’s direct messages feature.
Zero-day vulnerabilities are security flaws with no official patch or public information detailing the underlying weakness.
After being compromised, user accounts belonging to Sony, CNN, and Paris Hilton had to be taken down to prevent abuse. CNN’s account was the first to be hijacked last week, as Semaphor first reported on Sunday.
As Forbes reported today, the exploit used by the attackers to hack the accounts via DMs only needs the targets to open the malicious message and doesn’t require downloading a payload or clicking embedded links.
“Our security team is aware of a potential exploit targeting a number of brand and celebrity accounts,” TikTok spokesperson Alex Haurek told Forbes.
“We have taken measures to stop this attack and prevent it from happening in the future. We’re working directly with affected account owners to restore access, if needed.”
According to Haurek, the attackers have only compromised a very small number of TikTok accounts. The company has yet to reveal the exact number of impacted users and has not shared any details regarding the exploited vulnerability until the underlying flaw is fixed.
Not the first flaw allowing account takeovers
This isn’t the first vulnerability to impact TikTok users in recent years. Most recently, the company patched an Android app flaw discovered by Microsoft in August 2022 that let hackers “quickly and quietly” take over accounts with one tap.
Previously, it fixed security bugs that allowed attackers to bypass the platform’s privacy protections and steal private user information, including phone numbers and user IDs.
The company also fixed vulnerabilities that enabled threat actors to hijack the accounts of users who signed up via third-party apps and compromise accounts to manipulate the owners’ videos and steal their personal information.
TikTok surpassed 1 billion users in September 2021, and it currently has over 1 billion downloads on Google’s Play Store and 17 million ratings on the iOS App Store.
When contacted by BleepingComputer earlier today for more information on the number of compromised accounts and the vulnerability exploited in the attacks, a TikTok spokesperson was not immediately available for comment.
Source: www.bleepingcomputer.com