High-Profile TikTok Accounts Hacked Through Direct Messages

June 5, 2024

Threat actors have exploited a zero-day vulnerability in TikTok's direct messaging feature, leading to the hijacking of several high-profile accounts. Notably, the accounts of CNN, Paris Hilton, and Sony were among those compromised. Forbes reported that the malware disseminates through direct messages within the app and necessitates only the opening of a message by the user. The extent of the damage and the total number of affected accounts remain unclear.

TikTok spokesperson Alex Haurek confirmed that the platform's security team is cognizant of the exploit and has initiated measures to halt the attack and avert similar occurrences in the future. The company is also collaborating with the owners of the affected accounts to regain access. However, the company has not divulged any technical details about the vulnerability leveraged by the attackers. "Our security team is aware of a potential exploit targeting a number of brand and celebrity accounts. We have taken measures to stop this attack and prevent it from happening in the future. We’re working directly with affected account owners to restore access, if needed,” Haurek told Forbes. He also noted that the attacks affected a very minimal number of accounts.

Semafor was the first to report that CNN's TikTok account had been compromised, prompting the broadcaster to temporarily deactivate its account. Haurek also acknowledged that TikTok's security team had been recently informed about malevolent actors targeting CNN's account. The platform is committed to preserving its integrity and will persist in monitoring for any additional fraudulent activity.

In August 2022, a high-severity flaw (CVE-2022-28799) in the TikTok Android app was discovered by Microsoft researchers. This flaw could have enabled attackers to take over users’ accounts with a single click, although it would have required the chaining with other flaws to hijack an account. Microsoft reported the issue to TikTok in February 2022, and it was promptly rectified. Microsoft confirmed that it is not aware of any instances of this bug being exploited in the wild.

Latest News

Like what you see?

Get a digest of headlines, vulnerabilities, risk context, and more delivered to your inbox.

Subscribe Below

By submitting this form, you’re giving us permission to email you. You may unsubscribe at any time.

Accelerate Security Teams

Continuously identify and prioritize the risks that are most critical in your environment, and validate that your remediation efforts are reducing risk. An always-on single source-of-truth of your assets, services, and vulnerabilities.