TikTok

Over the past week, attackers have hijacked high-profile TikTok accounts belonging to multiple companies and celebrities, exploiting a zero-day vulnerability in the social media's direct messages feature.

Zero-day vulnerabilities are security flaws with no official patch or public information detailing the underlying weakness.

After being compromised, user accounts belonging to Sony, CNN, and others had to be taken down to prevent abuse. CNN's account was the first to be hijacked last week, as Semaphor first reported on Sunday.

Wiz

As Forbes reported today, the exploit used by the attackers to hack the accounts via DMs only needs the targets to open the malicious message and doesn't require downloading a payload or clicking embedded links.

"Our security team is aware of a potential exploit targeting a number of high-profile accounts," TikTok spokesperson Jason Grosse told BleepingComputer.

"We have taken measures to stop this attack and prevent it from happening in the future. We're working directly with affected account owners to restore access, if needed."

According to Grosse, the attackers have only compromised a "small number" of TikTok accounts, according to "initial analysis." The company has yet to reveal the exact number of impacted users and has not shared any details regarding the exploited vulnerability until the underlying flaw is fixed.

Not the first flaw allowing account takeovers

This isn't the first vulnerability to impact TikTok users in recent years. Most recently, the company patched an Android app flaw discovered by Microsoft in August 2022 that let hackers "quickly and quietly" take over accounts with one tap.

Previously, it fixed security bugs that allowed attackers to bypass the platform's privacy protections and steal private user information, including phone numbers and user IDs.

The company also fixed vulnerabilities that enabled threat actors to hijack the accounts of users who signed up via third-party apps and compromise accounts to manipulate the owners' videos and steal their personal information.

TikTok surpassed 1 billion users in September 2021, and it currently has over 1 billion downloads on Google's Play Store and 17 million ratings on the iOS App Store.

Update June 05, 14:50 EDT: Revised article to remove Paris Hilton's account from the list of compromised accounts.

tines

Break down IAM silos like Bitpanda, KnowBe4, and PathAI

Broken IAM isn't just an IT problem - the impact ripples across your whole business.

This practical guide covers why traditional IAM practices fail to keep up with modern demands, examples of what "good" IAM looks like, and a simple checklist for building a scalable strategy.

Related Articles:

Zeroday Cloud hacking event awards $320,0000 for 11 zero days

FBI and CISA warn of state hackers attacking Fortinet FortiOS servers

Exploited MongoBleed flaw leaks MongoDB secrets, 87K servers exposed

WebRAT malware spread via fake vulnerability exploits on GitHub

WhatsApp device linking abused in account hijacking attacks