Entertainment Figures TikTok Profiles Breached Via Zero-Click Attack in Private Messages
The renowned video-sharing platform TikTok has recognized a security loophole that has been exploited by malicious actors to seize control of prominent profiles on the platform.
Initial reports surfaced from Semafor and Forbes, outlining a no-click account hijacking campaign that enables malware spread through direct messages to infiltrate brand and celebrity profiles without any active user engagement.
The number of impacted users remains unknown at present, although a spokesperson from TikTok stated that the company has implemented proactive measures to thwart the attack and prevent its recurrence.
TikTok also mentioned that they are directly collaborating with affected profile owners to regain control, noting that only a “very limited” number of users were compromised. Specifics on the attack methodology and mitigation strategies employed were not disclosed.
This isn’t the first instance where security vulnerabilities have been uncovered in the extensively utilized platform. Back in January 2021, Check Point highlighted a loophole in TikTok that could have potentially allowed an attacker to construct a database containing users’ information and associated phone numbers for potential malicious activities.
Similarly, in September 2022, Microsoft discovered a one-click vulnerability impacting TikTok’s Android application, enabling attackers to seize control of profiles when users interacted with specially crafted hyperlinks.
Moreover, approximately 700,000 TikTok profiles in Turkey were reported to have been breached last year, following revelations that insecure SMS routing allowed threat actors to intercept one-time passcodes, gain entry into users’ profiles, and artificially inflate likes and followers.
Malicious actors have also taken advantage of TikTok’s Invisible Challenge to distribute malware that steals information, demonstrating a persistent effort by attackers to disseminate malware through unconventional means.
Fear over TikTok’s Chinese background has sparked apprehensions that the service might be misused to gather sensitive data on American users and propagate propaganda, leading to the proposal of laws advocating for the app’s ban unless it is separated from ByteDance.
Last month, the social media platform initiated legal action in the U.S., challenging the legislation on the grounds of being an “extraordinary infringement on free speech” and contending that the ban was based on mere “speculative apprehensions.”
Multiple nations such as India, Nepal, Senegal, Somalia, and Kyrgyzstan have implemented bans on TikTok, with numerous others including the U.S., the U.K., Canada, Australia, and New Zealand, prohibiting the usage of the app on governmental devices.
About Author
