Jun 7, 2024 - Technology

TikTok mitigates malware attacks targeting high-profile accounts

Illustration of an exclamation point in the style of the TikTok logo.

Illustration: Aïda Amer/Axios

TikTok says it has fixed a vulnerability that led to a rare type of cyberattack this week.

Why it matters: Hackers sent a private, malware-laced message to users that took over their accounts as soon as the message was opened.

  • TikTok confirmed to Axios that the unidentified hackers were able to take over CNN's account.
  • Reports suggest that they also attempted to hijack Paris Hilton's TikTok account.

Threat level: It remains unclear who is behind the attack and what vulnerability the hackers exploited — but this type of attack is extremely rare and likely won't impact the average user.

Driving the news: Semafor first reported the CNN account takeover, and Forbes reported Tuesday on the use of zero-click malware.

  • A TikTok spokesperson added that the company is actively working with affected account owners to restore their access.

Between the lines: The TikTok accounts look a lot like zero-click spyware attacks that target high-profile government officials, political activists and journalists.

  • However, the end result is different: In spyware attacks, the goal is to track users' phone calls, text messages and other activities.
  • In the TikTok case, the goal was to completely take over the account.

Zoom in: It's possible the vulnerability affected how content is loaded in direct messages, Malwarebytes security researcher Pieter Arntz noted.

  • Microsoft identified a vulnerability in TikTok's Android app in 2022 that could lead to one-click account hijacking — and TikTok released a fix to that flaw before it was disclosed.

What we're watching: Only two accounts have been identified as targets in the attack so far.

Go deeper