TikTok, a popular video-sharing website, has disclosed a security flaw that threat actors used to gain control of high-profile accounts on the platform.
Semafor and Forbes were the first to report on the development, which outlined a zero-click account takeover effort that allows malware spread through direct messages to compromise brand and celebrity accounts without requiring the user to engage or interact with it.
You might be interested in: Cybersecurity Monitoring Service: Your Digital Guardian
The attack exploits a zero-day vulnerability in the messaging component, executing malicious code as soon as the message is opened.
It’s unclear how many users were affected, but a TikTok spokesperson stated that the company has taken preventive measures to stop the attack and prevent it from recurring in the future.
The company also stated that it is working directly with affected account holders to restore access, adding that the incident compromised only a “very small” number of people. It did not specify the nature of the attack or the mitigating strategies used.
This is not the first time a security flaw has been identified in the widely used service. In January 2021, Check Point disclosed a TikTok issue that might have allowed an attacker to create a database of the app’s users and their phone numbers for future malicious activities.
Then, in September 2022, Microsoft discovered a one-click exploit in TikTok’s Android app that allowed attackers to take control of accounts if victims clicked on a carefully crafted link.
Another vulnerability discovered by Imperva over a year ago could have allowed attackers to monitor user activities and access sensitive data on both mobile and desktop devices.
“By exploiting this vulnerability, attackers could send malicious messages to the TikTok web application through the PostMessage API, bypassing the security measures,” the company stated at the time. “The message event handler would then process the malicious message as if it were coming from a trusted source, granting the attacker access to sensitive user information.”
That is not all. Last year, it was discovered that the grey routing of SMS messages through insecure channels allowed adversaries to intercept one-time passwords, gain access to TikTok users’ accounts, and inflate likes and followers, potentially compromising up to 700,000 TikTok accounts in Turkey.
Bad actors have also used TikTok’s Invisible Challenge to transmit information-stealing software, illustrating attackers’ ongoing efforts to disseminate malware through innovative techniques.
TikTok’s Chinese roots have raised concerns that the program might be used to collect sensitive information on American users and spread propaganda, prompting the introduction of legislation that would ban the video app in the US unless it is separated from ByteDance.
Last month, the social media giant filed a lawsuit in the United States opposing the act, claiming it is an “extraordinary intrusion on free speech rights” and that the US has only raised “speculative concerns” to justify the prohibition.
India, Nepal, Senegal, Somalia, and Kyrgyzstan have previously implemented similar bans on TikTok, while numerous other countries, including the United States, the United Kingdom, Canada, Australia, and New Zealand, have prohibited the app’s use on government devices.
MANAGED CYBERSECURITY SOLUTIONS
Rhyno delivers a range of activities that combine to fully protect your infrastructure and data from cybercriminals, anywhere and everywhere, 24/7/365.
About Rhyno Cybersecurity Services
Rhyno Cybersecurity is a Canadian-based company focusing on 24/7 Managed Detection and Response, Penetration Testing, Enterprise Cloud, and Cybersecurity Solutions for small and midsize businesses.
Our products and services are robust, innovative, and cost-effective. Underpinned by our 24x7x365 Security Operations Centre (SOC), our experts ensure you have access to cybersecurity expertise when you need it the most.