TikTok: Zero-day vulnerability enabled takeover of celebrity and brand accounts

TikTok has patched a security hole that has been used in recent days to take over the accounts of celebrities and world-famous brands. This was reported by Forbes, citing the operator of the popular video app. According to the report, a zero-day gap was exploited for the attacks. It was sufficient to send the malicious code via direct message. This only had to be opened to open the door for the attackers. It is unknown how many accounts were taken over, but those of Sony, CNN and Paris Hilton were certainly affected. TikTok has worked with those responsible for the accounts to give them back control.

Background unclear

"We have taken steps to stop the attack and prevent it from happening again in the future," Forbes quotes from a statement by ByteDance. The video app operator refers to "a number" of accounts filled by celebrities and brands. The situation is being monitored to prevent "inauthentic activity". The spokesperson added that only a "very small number" of accounts had been taken over, without naming a specific number. According to the report, the accounts taken over did not post anything, so it is unclear what the unknown attackers had in mind.

Before ByteDance's admission, the US magazine Semafor first publicized the takeover of CNN's account by unknown attackers. The account was subsequently shut down for several days, after which the cooperation with TikTok took place. Several CNN employees had previously pointed out lax practices in dealing with the account. Dozens of employees had access to the TikTok account. Only later did it become clear that the successful attack was probably not due to this. The loophole that has now been exploited on TikTok is not the first that has been used to take over accounts. A year and a half ago, Microsoft discovered a similarly serious vulnerability.

Read also

Berichte: TikTok lässt Code trennen, Washington hat "Kill Switch" ausgeschlagen

(mho)