TikTok confirms CNN, other high-profile accounts hijacked via zero-day vulnerability

Miscreants exploited a zero-day in TikTok to compromised the accounts of CNN and other big names. The app maker has confirmed there was a cyberattack, and that it has scrambled to secure accounts and prevent any further exploitation.

We can only imagine the chaos that could be caused by someone commandeering an account with countless followers and using it to spread scams, misinformation, and malware, and even hijacking fans’ profiles and their friends in a worm-like fashion.

“Our security team is aware of a potential exploit targeting a number of high-profile accounts,” TikTok spokesperson Alex Haurek told The Register today. “We have taken measures to stop this attack and prevent it from happening in the future. We’re working directly with affected account owners to restore access, if needed.”

While indicating CNN was indeed exploited, Haurek told us earlier accounts of Paris Hilton’s account being compromised were “inaccurate.” He declined to comment on reports of a Sony account takeover.

“Our security team was recently alerted to malicious actors targeting CNN’s TikTok account,” Haurek said. “We have been collaborating closely with CNN to restore account access and implement enhanced security measures to safeguard their account moving forward. We are dedicated to maintaining the integrity of the platform and will continue to monitor for any further inauthentic activity.”

CNN and Sony did not immediately respond to The Register‘s request for comment. Haurek declined to answer The Register‘s additional questions, including about how exactly the exploit worked, how many accounts were compromised, who is thought to be responsible for the break-ins, and whether they are ongoing.

The attacker reportedly compromised selected high-profile accounts via TikTok’s private chat system: It’s said that the miscreant just had to send a specially crafted direct message to a victim, and that the mark just had to open it, at which point a vulnerability in TikTok’s software would be exploited to gain access to or control over the target account. There was no need to open some link or download in this zero-click attack.

It’s unclear if the exploit worked against the TikTok app on a specific platform or not, such as iOS or Android.

In addition to the ongoing data security and manipulation — not to mention flat-out espionage — concerns around TikTok and its China-based parent ByteDance, the software developer has also experienced other security issues in recent years.

In August 2022, Microsoft discovered a high-severity flaw in the TikTok Android app that could have allowed miscreants to hijack and modify victims’ profiles, and send messages and upload videos as their victims.

In contrast to this latest snafu, that earlier vulnerability was found and fixed before it was abused.

A year ago, the Imperva red team spotted a vulnerability in TikTok that could allow attackers to snoop on users and access sensitive information. This one was also fixed prior to any reported exploits.

The latest kerfuffle comes at a tough time for TikTok and ByteDance, which is challenging in court an American law that aims to force the outfit to either sell off TikTok or shut down its US operations. 

American politicians have long argued that ByteDance, being a Chinese corporation, could be ordered by Beijing to make TikTok spy on its users and manipulate what they see in the app to push misinformation and propaganda to Western audiences.

While TikTok has repeatedly said this hasn’t — and will not — happen, this latest security headache is unlikely to help the video-sharing service’s cause. ®

READ MORE HERE