Popular video-sharing site TikTok has disclosed a security flaw that has been exploited by threat actors to take control of high-profile accounts on the network.
The technique was initially revealed by Semafor and Forbes, which outlined a zero-click account takeover effort that lets malware distributed via direct messages to corrupt brand and celebrity accounts without having to touch or interact with it.
It's still unknown how many users have been impacted, however a TikTok spokeswoman indicated that the firm has taken precautionary steps to halt the assault and prevent it from occurring in the future.
The business also added that it's working directly with affected account holders to restore access and that the assault only managed to breach a "very small" number of customers. It did not offer any information regarding the nature of the assault or the mitigating strategies it had deployed.
This is not the first time security flaws have been identified in the widely-used service. In January 2021, Check Point reported a bug in TikTok that might have theoretically allowed an attacker to compile a database of the app's users and their linked phone numbers for future harmful activities.
Then in September 2022, Microsoft identified a one-click vulnerability affecting TikTok's Android app that may enable attackers take control accounts when victims clicked on a specially crafted link.
That's not everything. As many as 700,000 TikTok accounts in Turkey were found to have been compromised last year, after reports emerged that the greyrouting of SMS messages through insecure channels enabled adversaries to intercept one-time passwords and gain access to TikTok users' accounts and inflate likes and followers.
Bad actors have also relied on TikTok's Invisible Challenge to send information-stealing software, demonstrating persistent attempts on the part of attackers to propagate malware via innovative ways.
TikTok's Chinese origins have led to fears that the app may be used as a conduit to obtain sensitive information on American users and promote propaganda, finally leading to the passing of a bill that would prohibit the video app in the US unless it is divested from ByteDance.
Last month, the social media giant filed a lawsuit in the U.S. opposing the legislation, arguing it's a "extraordinary intrusion on free speech rights" and that the U.S. has put out only "speculative concerns" to support the prohibition.
Other nations including India, Nepal, Senegal, Somalia, and Kyrgyzstan have enacted similar restrictions on TikTok, with numerous other countries, including the U.S., the U.K., Canada, Australia, and New Zealand, restricting the use of the app on government devices.
