The popular video sharing platform TikTok has recognized a security flaw that has been exploited by malicious actors to take control of high-profile accounts on the platform.
The malware that hacked various accounts on TikTok
The development was first reported by Traffic lights And Forbeswho have compiled detailed reports on a no-click account acquisition campaign, which allows malware propagated via direct messages to compromise accounts of brands and celebrities without having to click or interact with it.
It’s currently unclear how many users have been affected, although a TikTok spokesperson said the company has taken action preventive measures to stop the attack and prevent it in the future.
The company also said that it is working directly with affected account holders to restore access and that the attack only managed to compromise a “very small” number of users; however, specific details on the nature of the attack or the mitigation techniques that the Chinese company employed to defend itself from this cyber attack were not provided.
Attacks of this kind against TikTok are actually nothing new
This isn’t the first time security issues have been discovered in the widely used service; as early as January 2021, Check Point has presented a detailed report about a flaw in TikTok that could have potentially allowed an attacker to create a database of the app’s users and their associated phone numbers for future malicious activity.
Then, in September 2022, Microsoft has discovery a one-click exploit affecting TikTok’s Android app, which would allow attackers to take control of accounts when victims clicked on a specially crafted link.
It’s not all; up to 700,000 TikTok accounts in Türkiye have been compromises last yearafter reports emerged that greyrouting SMS messages through insecure channels allowed adversaries to intercept one-time passwords and access TikTok users’ accounts, inflating likes and followers.
Cyber criminals have too exploited TikTok’s Invisible Challenge to spread malware that steals information, highlighting attackers’ ongoing efforts to spread malware via unconventional means.
According to some, the platform is “problematic” because it is Chinese
TikTok’s Chinese roots have raised concerns that the app could be used as a channel to collect sensitive information on American users and spread propagandaultimately leading to the passage of a law that would ban the video app in the country unless it is divested by ByteDance.
Last month, the social media giant has introduced a lawsuit in the United States challenging the act, declaring that it is a “extraordinary intrusion on free speech rights” and that the United States raised only “speculative concerns” to justify the ban.
Other countries such as India, Nepal, Senegal, Somalia and Kyrgyzstan have imposed similar bans on TikTok, with several other countries, including the US, UK, Canada, Australia and New Zealand, also prohibit the use of the social application on government devices.
Because the same criticism does not exist on Western platforms
You will surely have heard similar words”don’t trust TikTok it’s Chinese, it steals our data“, when the same people then make extensive use of Western platforms (Facebook, Instagram, Twitter and so on).
Suspicion towards TikTok is often fueled by its Chinese origins and concerns about whether the Chinese government could access data collected by the app.
These fears are rooted in Chinese laws that require companies to cooperate with state authorities on national security matters, leading many to fear that TikTok may be forced to share sensitive information with the Chinese government.
In contrast, Western applications such as Facebook, Google and Microsoft, while collecting and using enormous amounts of personal data, do not raise the same level of concern; this can be attributed to a perception of greater transparency and regulation in democratic countries (or at least so it appears), where there are more stringent checks and balances on data privacy.
However, It is important to note that these Western companies have been involved in numerous scandals related to privacy and surveillance(see the Cambridge Analytica case involving META with Facebook) as the PRISM program of the NSA, and this highlights a double standard in public perception.
This dichotomy may arise from a combination of cultural trust, familiarity with the companies, and greater media visibility of privacy issues related to Chinese companies, a sort of “this thing is safe because it belongs to us”so to speak.
Not just TikTok, brief review of Cambridge Analytica
Not only does TikTok raise data privacy concerns; an emblematic case regarding Western applications is that of Cambridge Analyticaas just mentioned: in 2018, it emerged that this company had improperly obtained the personal data of millions of Facebook users without their consentusing them to influence political campaigns, including the 2016 US presidential election.
The scandal has raised serious questions about Facebook’s handling of data and highlighted how Western platforms are not immune to data exploitation practices and this case has led to increased public awareness of vulnerabilities in personal data protection, demonstrating that privacy concerns are not limited to Chinese apps, but affect the entire global digital ecosystem.
Similar cases
TikTok and Facebook are certainly not the first social media (and they certainly won’t be the last) to have had problems with user data, below is a list of similar cases:
- Equifax scandal (2017): One of the major US credit bureaus, Equifax, suffered one of the largest data breaches in history, compromising the personal information of more than 147 million people, including names, Social Security numbers, dates of birth, addresses and , in some cases, driving license numbers.
- Yahoo data breach (2013-2014): Yahoo revealed that all 3 billion user accounts had been compromised in a series of cyberattacks between 2013 and 2014. The stolen data included names, email addresses, phone numbers, dates of birth and, in some cases, security questions and encrypted or non-encrypted answers.
- Facebook and the case of third-party data collection (2019): Facebook revealed that hundreds of millions of phone numbers associated with user accounts had been stored on an unsecured server; Furthermore, Some third-party apps were found to have accessed users’ private photos without their consent.
- Marriott International data breach (2018): The Marriott hotel chain reported that the personal data of approximately 500 million customers had been exposed in a cyberattack that lasted from 2014 to 2018; the compromised information included names, email addresses, passport numbers and booking details.
- Google+ and the security flaw (2018): Google shut down its social network Google+ after revealing that a security flaw had exposed the personal data of around 500,000 users; the vulnerability had been present for over two years before it was discovered.
These are just a few examples like the recent breach case on TikTok is not a recent thing, but practically linked to the world of Social Media since their appearance (or almost).
#TikTok #myriads #accounts #compromised #0day