Journalists of the ZDNet publication, citing one of their readers, report that the web version of TikTok did not receive multi-factor authentication (via mail and SMS), which developers established for all users of the platform in August.
Thus, an attacker who somehow learned someone else’s credentials (for example, through a phishing attack or brute force) can log into the TikTok account through the site.
“This lapse in TikTok’s MFA implementation opens the door for scenarios where a malicious threat actor could bypass MFA by logging into an account with compromised credentials via its website, rather than the mobile app.”, — writes ZDNet journalists.
Fortunately, through the web version, hackers cannot change the user’s password and completely take over someone else’s account. Basically, all an attacker can do is upload and publish a new video, for example, to ruin an account’s reputation or advertise a fraudulent product on behalf of a popular user. The publication also notes that hacked accounts can be used to spread disinformation, propaganda, and so on.
Journalists note that the TikTok mobile app does not notify the user in any way about active sessions in the web version. This essentially means that TikTok doesn’t warn users at all if someone has used their credentials and logged into the account through a browser.
“It’s a well-known fact that Facebook and other companies have abused 2-factor SMS signups, and a clear indicator that TikTok has done something similar is the reality that the TikTok 2-factor is an illusion, and totally optional when using the website login features”, — told ZDNet security researcher Zach Edwards.
TikTok developers have already promised to fix the problem and extend multi-factor authentication to the site too, but they have not named any specific time frame yet.
“In the meantime, users who have enabled MFA for their TikTok account for security reasons should not be lowering their guard and reuse passwords from other accounts, thinking MFA blocks all attackers. These users should continue to use complex and hard-to-guess passwords”, — advised in TikTok company.
ZDNet notes that the login page is protected by a CAPTCHA, which means users can hardly expect a wave of automated attacks and massive compromises of TikTok accounts.
Let me remind you that earlier this year, researchers managed to hack TikTok using SMS.