Popular video-sharing platform TikTok acknowledges the presence of a security vulnerability, with threat actors exploiting it to gain control over prominent accounts on the platform.
Semafor and Forbes first reported on this development, detailing a zero-click account takeover campaign. The campaign infiltrates brand and celebrity accounts through the propagation of malicious software via direct messages, requiring no user interaction or clicks.
The extent of users affected remains unclear, but a TikTok spokesperson states that the company has taken preventive measures to thwart this attack and prevent similar incidents from occurring in the future. TikTok is working directly with the affected account holders to restore access, mentioning that the attack successfully breached “a very small number” of users. However, detailed information regarding the nature of the attack or mitigation techniques has not been provided.
This is not the first time security issues have been identified in widely used services. In January 2021, Check Point detailed a vulnerability in TikTok that could allow attackers to build a database of application users and their associated phone numbers for future malicious activities. In September 2022, Microsoft discovered a one-click vulnerability affecting the TikTok Android application, enabling attackers to take over accounts when victims click on specially crafted links.
Additionally, last year, up to 700,000 TikTok accounts in Turkey were found to be compromised. Attackers intercepted one-time passwords sent via insecure channels and accessed TikTok users’ accounts, increasing likes and followers. Malicious software was also spread through TikTok’s “invisible challenge,” highlighting attackers’ efforts to disseminate malware through unconventional means.