TikTok has confirmed that hackers exploited a zero-day vulnerability in its direct messaging (DM) feature to hijack several high-profile accounts.
The affected accounts include those of celebrities like Paris Hilton and major media organizations such as CNN and Sony. The attack, which has raised alarms about the platform’s security measures, was first reported on June 4, 2024.
Zero-Day Vulnerability
The zero-day vulnerability allowed attackers to gain unauthorized access to accounts simply by sending a malicious message through TikTok’s DM feature.
The exploit did not require the victims to download any payload or click on embedded links; merely opening the malicious message was sufficient to compromise the account.
With ANYRUN You can Analyze any URL, Files & Email for Malicious Activity : Start your Analysis
This type of attack is particularly insidious because it leverages a previously unknown security flaw, giving developers no time to patch the vulnerability before it is exploited.
The breach led to the temporary shutdown of the affected accounts to prevent further misuse. CNN’s account was reportedly the first to be hijacked, necessitating its removal from the platform for several days. Paris Hilton’s account was also targeted, although it was not compromised, Semafor reports.
TikTok has since taken measures to halt the attack and prevent future occurrences. The company works directly with the affected account owners to restore access and implement additional security measures.
Jason Grosse, a representative of TikTok’s privacy and security team, stated that the company is collaborating with the affected users to mitigate the impact and ensure such incidents do not recur.
However, TikTok has not disclosed the exact number of compromised accounts or detailed the specific nature of the vulnerability, citing security concerns.
The timing of the attack is particularly concerning given the upcoming U.S. presidential election. There are heightened fears that such vulnerabilities could be exploited to spread misinformation or disrupt the electoral process. CNN, for instance, has been working with TikTok to bolster its account security in anticipation of potential threats during the election season.
This incident is the latest in a series of security challenges for TikTok. In 2022, a hacker claimed to have stolen user data and source code from the platform, although TikTok denied these claims.
The platform has also faced scrutiny from U.S. lawmakers over concerns that the Chinese government could access user data, given TikTok’s ownership by the Chinese tech giant ByteDance.
In response to these concerns, President Biden signed a bill in April 2024 requiring ByteDance to sell TikTok’s U.S. operations or face a ban.
TikTok has a history of security vulnerabilities. In August 2022, Microsoft discovered a flaw in TikTok’s Android app, allowing hackers to take over accounts with a single click.
Other vulnerabilities have included bypassing privacy protections and stealing private user information, such as phone numbers and user IDs. Despite these issues, TikTok remains one of the most popular social media platforms globally, with over 1 billion users.
For now, TikTok users, particularly those with high-profile accounts, are advised to remain vigilant and report any suspicious activity to the platform’s security team. The company has assured its users that it is committed to protecting their data and preventing future breaches.
Looking for Full Data Breach Protection? Try Cynet's All-in-One Cybersecurity Platform for MSPs: Try Free Demo