A recent ‘high severity’ flaw in the TikTok Android app highlights the importance of staying vigilant on the video-sharing platform.
TikTok is undeniably the most popular video-based social media app out there right now.
After overtaking YouTube for average watch time in the US and UK last year, and subsequently becoming one of the world’s most popular domains, TikTok has emerged as a force to be reckoned with. Unfortunately, this makes the app more vulnerable to scams and hacking attempts.
Microsoft revealed in a blog yesterday (31 August) that it recently discovered a “high-severity vulnerability” in the TikTok Android app that could let hackers hijack a user’s account with just one click.
Now patched, the exploit could have allowed hackers to get uninhibited access to millions of TikTok accounts, with the ability to post videos, send messages, view private drafts and edit account details on the app – which has more than 1.5bn downloads on the Google Play Store.
A spokesperson for TikTok told The Verge that there was no evidence to suggest the flaw discovered by Microsoft 365 Defender researchers had been exploited by bad actors and that the vulnerability had been patched promptly.
“As threats across platforms continue to grow in numbers and sophistication, vulnerability disclosures, coordinated response and other forms of threat intelligence sharing are needed to help secure users’ computing experience,” Microsoft’s Dimitrios Valsamaras wrote in the blog.
“We will continue to work with the larger security community to share research and intelligence about threats in the effort to build better protection for all.”
Pro tips to stay safe
While future attempts to hack TikTok accounts cannot be ruled out, there are ways in which users can minimise their chances of falling prey to cyberattacks and scams.
Cybersecurity company ESET has come up with a few tips to help TikTok users identify suspicious activity and prevent being duped by hackers. In a blogpost, it listed five scams to look out on the fast-growing platform.
“Cybercriminals are very creative and always follow trends closely, even predicting change before the masses in order to maximise the outcome of their techniques,” wrote ESET’s Jake Moore in the blogpost.
“While in an app that people are scrolling minute after minute, even hour after hour, scams can easily catch people off guard and often make them lose money, their account, or even their reputation.”
Phishing is perhaps the most important security threat to be aware of. If successfully implemented, this could give hackers full control of an account and even lock the original user out.
“A TikTok scam email or text is a message that goes out at random like a typical phishing message, but in the hope that they land in a TikToker’s inbox,” wrote Moore. “They might try to offer a verified badge, more followers, or even a sponsorship.”
Once a user clicks on the link in the message, they will be redirected to a site requesting TikTok login credentials. Because TikTok accounts are not protected by two-factor authentication (2FA) by default, it can be easy for users to fall prey to phishing attacks and lose access to their accounts.
Another popular trope is the get-rich-quick scam and its trending cousin, the crypto scam. ESET said that the rise in popularity of cryptocurrencies has led to a corresponding rise in TikTok scams that offer people fast and easy money through the blockchain medium.
“These offers always sound too good to be true – that is because they are. Is Elon Musk really going to give random web strangers a million dollars?” Moore quipped in the blog.
Just like Twitter, TikTok is also home to a large colony of bot accounts, ones that “cleverly interact with users in a way that make the targeted users think they are chatting with a real person”.
These accounts can elicit sensitive info from users and even scam them into downloading malware on their phones, ESET said.
While bots can fake being regular people, TikTok also has a fake app and fake celebrity problem. Some accounts claim that paid apps can be downloaded for free from certain third-party app stores, when in fact, as ESET points out, they are scams that install malware on the device.
Meanwhile, some accounts impersonate real-world celebrities by duplicating content from the individual’s verified account. Sometimes, especially when the celebrity does not have a verified official account, these fake accounts can gain followers and misuse the platform to scam people.
“While hacking into someone’s TikiTok remains tricky without being near the target’s phone and carrying out a spot of shoulder surfing, it is a good reminder to make sure you have 2FA turned on” Moore recommended.
He added that that TikTok will never contact users to ask for account details, passwords or one-time codes, so users should be vigilant of such scam attempts.
“Finally, if you ever see videos on TikTok that you think could be spam or possibly attempting to phish people for information, report them to TikTok straight away and steer clear of any associated links.”
10 things you need to know direct to your inbox every weekday. Sign up for the Daily Brief, Silicon Republic’s digest of essential sci-tech news.