A month after TikTok rolled out multi-factor authentication (MFA) for its users, a ZDNet reader discovered that the company’s new security feature was only enabled for the mobile app but not its website.
This lapse in TikTok’s MFA implementation opens the door for scenarios where a malicious threat actor could bypass MFA by logging into an account with compromised credentials via its website, rather than the mobile app.
Reached out for comment on the ZDNet reader’s findings, a TikTok spokesperson said the company plans to expand MFA to cover its official website in the coming future.
In the meantime, users who have enabled MFA for their TikTok account for security reasons should not be lowering their guard and reuse passwords from other accounts, thinking MFA blocks all attackers. These users should continue to use complex and hard-to-guess passwords.
TikTok web dashboard has limited features
However, while this is technically an “MFA bypass,” the issue is also not as dangerous as it sounds due to the limited options available to TikTok users in the web dashboard.
For example, even if an attacker manages to guess or phish a TikTok user to obtain their account credentials, the attacker can’t change the user’s password via the web dashboard to fully hijack an account.
The only meaningful option they have at their disposal is to upload & post a video to deface the user’s account or promote scams.
However, just because they can’t hijack the account, this doesn’t mean the account is useless. For example, attackers could mount a mass-defacement campaign to promote various topics, from scams to political propaganda.
One such incident happened on Facebook and Instagram earlier this year, security researcher Zach Edwards told ZDNet in an email interview this week. A mysterious hacker broke into Facebook and Instagram accounts, changed the users’ avatars to an image of an ISIS flag, and the accounts were suspended and locked after being flagged by Facebook’s image recognition algorithms, making account recovery a painful and long process for the hacked users.
Moreover, Edwards raises additional questions.
“If TikTok doesn’t actually turn on 2-factor security for an account when a user sets that up, it raises questions about whether the cell phone numbers are being used for a different purpose,” Edwards said.
“It’s a well-known fact that Facebook and other companies have abused 2-factor SMS signups, and a clear indicator that TikTok has done something similar is the reality that the TikTok 2-factor is an illusion, and totally optional when using the website login features.”
The “Active Sessions” page will need to be fixed as well
The good news is that TikTok does intent to fix this issue. However, several other issues will also have to be addressed.
The ZDNet reader who brought this issue to our attention also pointed out that the TikTok mobile app doesn’t show sessions taking place in real-time from the web dashboard. In its current form, this means that TikTok doesn’t warn users when someone used their credentials to access their TikTok account via a browser.