Over the previous week, attackers have hijacked high-profile TikTok accounts belonging to a number of firms and celebrities, exploiting a zero-day vulnerability within the social media’s direct messages function.
Zero-day vulnerabilities are safety flaws with no official patch or public info detailing the underlying weak spot.
After being compromised, person accounts belonging to Sony, CNN, and Paris Hilton needed to be taken down to forestall abuse. CNN’s account was the primary to be hijacked final week, as Semaphor first reported on Sunday.
As Forbes reported immediately, the exploit utilized by the attackers to hack the accounts by way of DMs solely wants the targets to open the malicious message and would not require downloading a payload or clicking embedded hyperlinks.
“Our security team is aware of a potential exploit targeting a number of brand and celebrity accounts,” TikTok spokesperson Alex Haurek advised Forbes.
“We have taken measures to stop this attack and prevent it from happening in the future. We’re working directly with affected account owners to restore access, if needed.”
In response to Haurek, the attackers have solely compromised a really small variety of TikTok accounts. The corporate has but to disclose the precise variety of impacted customers and has not shared any particulars relating to the exploited vulnerability till the underlying flaw is fastened.
Not the primary flaw permitting account takeovers
This is not the primary vulnerability to affect TikTok customers in recent times. Most not too long ago, the corporate patched an Android app flaw found by Microsoft in August 2022 that let hackers “quickly and quietly” take over accounts with one faucet.
Beforehand, it fastened safety bugs that allowed attackers to bypass the platform’s privateness protections and steal personal person info, together with cellphone numbers and person IDs.
The corporate additionally fastened vulnerabilities that enabled menace actors to hijack the accounts of customers who signed up by way of third-party apps and compromise accounts to manipulate the house owners’ movies and steal their private info.
TikTok surpassed 1 billion customers in September 2021, and it at present has over 1 billion downloads on Google’s Play Retailer and 17 million rankings on the iOS App Retailer.
When contacted by BleepingComputer earlier immediately for extra info on the variety of compromised accounts and the vulnerability exploited within the assaults, a TikTok spokesperson was not instantly out there for remark.
