Over the past week, high-profile TikTok accounts belonging to companies and celebrities have been hijacked due to a zero-day vulnerability in the platform’s direct messages feature. This vulnerability allows attackers to compromise accounts simply by having the target open a malicious message. Major accounts, including those of Sony, CNN, and Paris Hilton, were affected and subsequently taken down to prevent further abuse.
The zero-day vulnerabilities are critical security flaws with no official patch or public information detailing their weaknesses. In this instance, the exploit used did not require downloading a payload or clicking on embedded links, making it particularly insidious. TikTok’s security team, led by spokesperson Alex Haurek, has been working to stop the attack and prevent future incidents. They are also assisting the affected account owners in regaining access.
Although the exact number of compromised accounts has not been disclosed, TikTok has stated that only a very small number of accounts were impacted. The company has yet to provide details on the specific vulnerability, aiming to fix the underlying flaw before sharing more information. This incident is not the first time TikTok users have faced security issues, as the platform has dealt with similar vulnerabilities in the past.
In August 2022, TikTok patched an Android app flaw discovered by Microsoft that allowed hackers to take over accounts with one tap. Previously, other security bugs enabled attackers to bypass privacy protections and steal private user information, including phone numbers and user IDs. TikTok, which surpassed 1 billion users in September 2021, continues to address these security challenges to protect its extensive user base.
