Knock-knock, let’s hack TikTok

A recent zero-click vulnerability in TikTok has led to high-profile accounts being taken over.

TikTok Zero-Click vulnerability: what to know?

Do you use TikTok? Do your kids?

You can put your hands down, I know that the question was more rhetorical than anything. If you’ve any interest in the network, you’ve probably seen the news sweeping the interwebs over the past week – news that’s come to a head in the last 24-48 hours as of this writing.

The popular social network TikTok has acknowledged a security issue that’s allowed attackers to take control of its accounts.

How was TikTok hacked?

The issue stems from a zero-click exploit that’s been used by illicit groups who’ve been taking over high-profile accounts (and possibly smaller accounts) via the platforms’ direct message function. To date, accounts that have been targeted or compromised include those of CNN, Paris Hilton and Sony.

What makes this case all the more tricky is that users don’t need to click a malicious link, but rather just open the direct message in TikTok for the malware to trigger. According to a statement to the media, TikTok’s spokesperson noted that they were taking this vulnerability seriously and have worked to halt the attack.

“We have taken measures to stop this attack and prevent it from happening in the future. We’re working directly with affected account owners to restore access, if needed.”

This is an evolving story, and we will update this post as more information comes to light and can add additional context.

What can you do?

As mentioned in our post dedicated to them, zero-click exploits are very difficult to stop and decipher. With that said, there are some things you can do to try to reduce some of the risk – especially on social profiles.

Use strong and unique passwords. As with any site, the weakest link is often the entry point to the platform – the password. This should be unique and not one that you re-use on multiple platforms. If you struggle to come up with a unique password, consider using a password manager to generate a unique and strong password.

Use two-factor authentication. Most platforms allow for some form of two-factor authentication to secure users. While many people default to using SMS or email as the source of the second verification, I’d recommend using an authenticator application.

If you don’t know, don’t click. OK, time to put on the Momma Jeff hat for a minute. You shouldn’t talk to strangers. Just like the creepy white van with free candy stenciled on the side that your parents warned you about, there are creepy people sliding into your direct messages. If you don’t know the person messaging you, there’s no reason for you to assume that you should click on any link sent from these accounts and expect anything but a scam. Similarly, if you don’t know the person, why even bother opening the message? As you can see with this TikTok vulnerability, curiosity can still kill the cat – even in this digital age we live in. While it may be a goal to chase the influencer wagon and make fast cash, if something sounds too good to be true, it probably is.

Educate your kids. If you have kids, or are an uncle/aunt/grandma/pawpaw, please consider talking to them about basic safety on social networks. As the adults in the room, we have to be the folks who teach the next generation about security. This post is short, but I hope it serves as a good example of how a tiny mistake (a quick peek) can see someone lose control over their accounts.

Read our detailed guide to setting up security and privacy on TikTok. Also, use our free Privacy Checker service to configure both the privacy and security of other social networks, online services and applications.

Tips