Threat actors exploited a zero-day vulnerability in the video-sharing platform TikTok to hijack high-profile accounts. The vulnerability resides in the direct messages feature implemented by the platform, reported Forbes.
The malware spreads through direct messages within the app and only requires the user to open a message. The compromised accounts did not post content, and the extent of the impact is unclear. TikTok spokesperson Alex Haurek stated that their security team is aware of the exploit and has taken measures to stop the attack and prevent future incidents. The company is also working with affected account owners to restore access.
The list of compromised accounts includes CNN, Paris Hilton, and Sony, however, it’s still unclear how many accounts have been impacted.
The company did not share technical details about the vulnerability exploited by the attackers.
“Our security team is aware of a potential exploit targeting a number of brand and celebrity accounts. We have taken measures to stop this attack and prevent it from happening in the future. We’re working directly with affected account owners to restore access, if needed.” TikTok spokesperson Alex Haurek told Forbes.
Haurek pointed out that the attacks compromised a very small number of accounts.
Semafor first reported that CNN’s TikTok account had been hacked, forcing the broadcaster to take down its account for several days.
The TikTok spokesperson also added that their security team was recently alerted of malicious actors targeting CNN’s account.
TikTok remarked that it is committed to maintaining the platform’s integrity and will continue to monitor for any further fraudulent activity.
In August 2022, Microsoft researchers discovered a high-severity flaw (CVE-2022-28799) in the TikTok Android app, which could have allowed attackers to hijack users’ accounts with a single click. The experts stated that the vulnerability would have required the chaining with other flaws to hijack an account. Microsoft reported the issue to TikTok in February 2022, and the company quickly addressed it. Microsoft confirmed that it is not aware of attacks in the wild exploiting the bug.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, zero-day)