One month after TikTok implemented MFA for its users, it was discovered that the feature was only enabled for the mobile app and not the website. This lapse in TikTok’s new security feature would allow attackers to bypass MFA by logging into an account with compromised credentials via its website. Luckily there is not much an attacker can do to a compromised account when logging into TikTok via the website. The website dashboard does not allow passwords to be reset. However, an attacker could still deface an account by uploading and posting videos in an attempt to deface the account. Another flaw found in TikTok’s platform was that the mobile app does not show sessions taking place in real-time from the web dashboard. This means that TikTok does not warn users when someone used their credentials to access their TikTok account via a web browser.
https://www.zdnet.com/article/you-can-bypass-tiktoks-mfa-by-logging-in-via-a-browser/
Leave a Reply
You must be logged in to post a comment.