The popular Chinese social media app TikTok has once again made it to the news. But this time, it’s not due to the US-China-TikTok skirmish, rather a security issue. It appears TikTok has a glitch in its multi-factor authentication feature that allows anyone to bypass the check and access accounts.
TikTok Multi-Factor Authentication Bypass
In a recent report, ZDNet has shared details about a TikTok multi-factor authentication bypass. The glitch first caught the attention of a user who then reached out to ZDNet to report the matter.
Investigating the matter revealed the possibility for an adversary to evade the security check and sign-in to an account.
Specifically, the glitch exists due to a faulty implementation of multi-factor authentication (MFA). TikTok introduced MFA in August 2020, featuring SMS and email-based verification methods. While the feature itself worked fine, the actual observer of the glitch found that TikTok has only implemented the check on mobile apps. Whereas, the web version lacked this security layer.
Consequently, it became possible for an attacker to access a target account simply by entering credentials on the web version. (We know there are many ways of accessing the correct account credentials, such as brute force and phishing.)
Although, ZDNet has explained that this TikTok MFA bypass isn’t seriously damaging because of the limited web version functionalities.
Even after accessing an account, an attacker cannot meddle with account settings to hijack the account.
However, it still requires attention as exploiting this feature does facilitate in scam promotions or defacement. The latter can even trigger account deletion by the service due to violation of community standards. In the past, a similar incident happened to a security researcher who explained everything in this blog.)
Another alarming issue here is that TikTok presently doesn’t warn or show a user about active web sessions. It means that a victim would never know if an adversary hacks its account via the web version.
Thankfully, ZDNet has confirmed that TikTok has pledged to address this issue soon.
Until a fix arrives, users must ensure that they do implement this feature to protect their accounts, at least, partially. Yet, they must set up strong passwords, preferable, with a password manager, to make password-guessing really difficult.