Malicious actors recently hacked high-profile TikTok accounts of big companies and celebrities and exploited a zero-day vulnerability in TikTok’s direct messaging feature. This TikTok zero-day vulnerability allowed the hackers to take control of accounts without the need for victims to download anything or click on any links.
For all those who are unaware of what is a zero-day vulnerability, it is a security hole in software that the makers themselves are unaware of. The reason why it’s a prime target of the hackers is that there’s no patch or public information about the flaw.
The TikTok zero-day vulnerability has impacted and hijacked accounts belonging to CNN, Sony, and Paris Hilton.
According to the Semaphor, CNN’s account was the first to be compromised last week. Afterward, similar cyberattacks targeted Sony and Paris Hilton’s accounts. To prevent any further misuse, TikTok took these accounts offline.
How Did the TikTok Zero-Day Vulnerability Occur?
According to Forbes, which first reported the incident, hackers simply opened a malicious direct message to compromise an account. It was noted that there was no need to download any files or click on any links, making the attack easy to carry out and difficult to detect.
Alex Haurek who leads TikTok’s security team, responded to Forbes noting, “Our security team is aware of a potential exploit targeting a number of brand and celebrity accounts. We have taken measures to stop this attack and prevent it from happening in the future. We’re working directly with affected account owners to restore access if needed.”
TikTok has also notified that only a small number of accounts were compromised, but it hasn’t given specific numbers or detailed the vulnerability until they fix it completely.
Prior Security Issues
This isn’t the first time TikTok has faced security issues. In August 2022, Microsoft discovered a flaw in TikTok’s Android app that allowed hackers to take over accounts with a single tap. TikTok has also fixed other security bugs that let attackers steal private user information, bypass privacy protections, and manipulate user videos.
In another example, Apple released a software update to fix a bug in WebKit, which runs Safari and other web apps. This bug could have allowed malicious code to run on affected devices. Apple quickly patched this across all its devices, including iPhones, iPads, Macs, and Apple TV.
In mid-2023, TikTok was fined £12.7 million by the Information Commissioner’s Office (ICO) for multiple breaches of data protection laws. These include allowing over one million children under 13 to use its platform without parental consent in 2020, contrary to its own terms of service.
The ICO’s investigation found that TikTok had allowed an estimated 1.4 million UK children under 13 to create accounts and use its platform, despite its rules stating that users must be at least 13 years old.
This resulted in the unlawful processing of children’s data without proper consent or authorization from their parents or guardians, a requirement under UK data protection law for organizations offering information society services to children under 13.
Furthermore, TikTok failed to provide adequate information to its users, especially children, on how their data was being collected, used, and shared in a clear and understandable manner.
This lack of transparency made it difficult for users to make informed choices about their engagement with the platform.
