TikTok mitigates malware attacks targeting high-profile accounts
Add Axios as your preferred source to
see more of our stories on Google.
Illustration: Aïda Amer/Axios
TikTok says it has fixed a vulnerability that led to a rare type of cyberattack this week.
Why it matters: Hackers sent a private, malware-laced message to users that took over their accounts as soon as the message was opened.
- TikTok confirmed to Axios that the unidentified hackers were able to take over CNN's account.
- Reports suggest that they also attempted to hijack Paris Hilton's TikTok account.
Threat level: It remains unclear who is behind the attack and what vulnerability the hackers exploited — but this type of attack is extremely rare and likely won't impact the average user.
Driving the news: Semafor first reported the CNN account takeover, and Forbes reported Tuesday on the use of zero-click malware.
- A TikTok spokesperson added that the company is actively working with affected account owners to restore their access.
Between the lines: The TikTok accounts look a lot like zero-click spyware attacks that target high-profile government officials, political activists and journalists.
- However, the end result is different: In spyware attacks, the goal is to track users' phone calls, text messages and other activities.
- In the TikTok case, the goal was to completely take over the account.
Zoom in: It's possible the vulnerability affected how content is loaded in direct messages, Malwarebytes security researcher Pieter Arntz noted.
- Microsoft identified a vulnerability in TikTok's Android app in 2022 that could lead to one-click account hijacking — and TikTok released a fix to that flaw before it was disclosed.
What we're watching: Only two accounts have been identified as targets in the attack so far.
