Celebrity TikTok Accounts Compromised Using Zero-Click Attack via DMs


Popular video-sharing platform TikTok has acknowledged a security issue that has been exploited by threat actors to take control of high-profile accounts on the platform.

The development was first reported by Semafor and Forbes, which detailed a zero-click account takeover campaign that allows malware propagated via direct messages to compromise brand and celebrity accounts without having to click or interact with it.

It’s currently unclear how many users have been affected, although a TikTok spokesperson said that the company has taken preventive measures to stop the attack and prevent it from happening in the future.

The company further said that it’s working directly with impacted account holders to restore access and that the attack only managed to compromise a “very small” number of users. It did not provide any specifics about the nature of the attack or the mitigation techniques it had employed.

This is not the first time security issues have been uncovered in the widely-used service. In January 2021, Check Point detailed a flaw in TikTok that could have potentially enabled an attacker to build a database of the app’s users and their associated phone numbers for future malicious activity.

Then in September 2022, Microsoft uncovered a one-click exploit affecting TikTok’s Android app that could let attackers take over accounts when victims clicked on a specially crafted link.

That’s not all. As many as 700,000 TikTok accounts in Turkey were found to have been compromised last year, after reports emerged that the greyrouting of SMS messages through insecure channels enabled adversaries to intercept one-time passwords and gain access to TikTok users’ accounts and inflate likes and followers.

Bad actors have also capitalized on TikTok’s Invisible Challenge to deliver information-stealing malware, highlighting continued efforts on the part of attackers to spread malware through unconventional means.

TikTok’s Chinese roots have led to concerns that the app could be used as a conduit to gather sensitive information on American users and push propaganda, eventually leading to the passage of a law that would ban the video app in the country unless it is divested from ByteDance.

Last month, the social media giant filed a lawsuit in the U.S. challenging the act, stating it’s an “extraordinary intrusion on free speech rights” and that the U.S. had put forth only “speculative concerns” to justify the ban.

Other countries like India, Nepal, Senegal, Somalia, and Kyrgyzstan have imposed similar bans on TikTok, with several other countries, including the U.S., the U.K., Canada, Australia, and New Zealand, barring the use of the app on government devices.


Please enter your comment!
Please enter your name here