TikTok mitigates malware attacks targeting high-profile accounts

225 0 0

Illustration: Aïda Amer/Axios

TikTok says it has fixed a vulnerability that led to a rare type of cyberattack this week.

Why it matters: Hackers sent a private, malware-laced message to users that took over their accounts as soon as the message was opened.

TikTok confirmed to Axios that the unidentified hackers were able to take over CNN’s account.
Reports suggest that they also attempted to hijack Paris Hilton’s TikTok account.

Threat level: It remains unclear who is behind the attack and what vulnerability the hackers exploited — but this type of attack is extremely rare and likely won’t impact the average user.

Driving the news: Semafor first reported the CNN account takeover, and Forbes reported Tuesday on the use of zero-click malware.

A TikTok spokesperson added that the company is actively working with affected account owners to restore their access.

Between the lines: The TikTok accounts look a lot like zero-click spyware attacks that target high-profile government officials, political activists and journalists.

However, the end result is different: In spyware attacks, the goal is to track users’ phone calls, text messages and other activities.
In the TikTok case, the goal was to completely take over the account.

Zoom in: It’s possible the vulnerability affected how content is loaded in direct messages, Malwarebytes security researcher Pieter Arntz noted.

Microsoft identified a vulnerability in TikTok’s Android app in 2022 that could lead to one-click account hijacking — and TikTok released a fix to that flaw before it was disclosed.