High profile TikTok accounts, including CNN, Sony, and—er—Paris Hilton have been targeted in a recent attack.
CNN was the first account takeover that made the news, with Semafor reporting that the account was down for several days after the incident.
According to Forbes, the attack happens without the account owner needing to click on or open anything—known as a zero-click attack. All they need to do is open a Direct Message (DM). The account is then taken over and the user loses access.
Malwarebytes’ Pieter Arntz explained how this sort of attack could happen:
> “If they don’t need to click on anything, this could well be a vulnerability in the way content is loaded when opening a DM. We’ve seen similar vulnerabilities before in Chromium browser, for example when fabricated images are loaded.”
TikTok says it has now fixed the issue and is working to get the accounts back to their rightful owners. Spokesperson Alex Haurek told Forbes:
> “Our security team is aware of a potential exploit targeting a number of brand and celebrity accounts. We have taken measures to stop this attack and prevent it from happening in the future. “
Haurek didn’t say whether the attackers were still targeting accounts.
This attack is eye-catching because it's technically unusual, and was used against people who naturally attract headlines. However, it's a flash in the pan and the vulnerability was quickly patched.
Meanwhile, there's a thriving underground market in social logins fuelled with much more successful, but much more mundane forms of attack. To reduce your risk of those, make sure you do these things:
We don't just report on threats - we help safeguard your entire digital identity
Cybersecurity risks should never spread beyond a headline. Protect your—and your family's—personal information by using identity protection.