TikTok

Over the past week, attackers have hijacked high-profile TikTok accounts belonging to multiple companies and celebrities, exploiting a zero-day vulnerability in the social media's direct messages feature.

Zero-day vulnerabilities are security flaws with no official patch or public information detailing the underlying weakness.

After being compromised, user accounts belonging to Sony, CNN, and others had to be taken down to prevent abuse. CNN's account was the first to be hijacked last week, as Semaphor first reported on Sunday.

As Forbes reported today, the exploit used by the attackers to hack the accounts via DMs only needs the targets to open the malicious message and doesn't require downloading a payload or clicking embedded links.

"Our security team is aware of a potential exploit targeting a number of high-profile accounts," TikTok spokesperson Jason Grosse told BleepingComputer.

"We have taken measures to stop this attack and prevent it from happening in the future. We're working directly with affected account owners to restore access, if needed."

According to Grosse, the attackers have only compromised a "small number" of TikTok accounts, according to "initial analysis." The company has yet to reveal the exact number of impacted users and has not shared any details regarding the exploited vulnerability until the underlying flaw is fixed.

Not the first flaw allowing account takeovers

This isn't the first vulnerability to impact TikTok users in recent years. Most recently, the company patched an Android app flaw discovered by Microsoft in August 2022 that let hackers "quickly and quietly" take over accounts with one tap.

Previously, it fixed security bugs that allowed attackers to bypass the platform's privacy protections and steal private user information, including phone numbers and user IDs.

The company also fixed vulnerabilities that enabled threat actors to hijack the accounts of users who signed up via third-party apps and compromise accounts to manipulate the owners' videos and steal their personal information.

TikTok surpassed 1 billion users in September 2021, and it currently has over 1 billion downloads on Google's Play Store and 17 million ratings on the iOS App Store.

Update June 05, 14:50 EDT: Revised article to remove Paris Hilton's account from the list of compromised accounts.

Related Articles:

"Researchers" exploit Kraken exchange bug, steal $3 million in crypto

QNAP QTS zero-day in Share feature gets public RCE exploit

PoC exploit released for RCE zero-day in D-Link EXO AX4800 routers

Google now pays $250,000 for KVM zero-day vulnerabilities

Cisco warns of NX-OS zero-day exploited to deploy custom malware