MobileNews

TikTok fixed a security hole in its Android app that bypassed two-factor authentication [Video]

bypass two-factor authentication

A vulnerability has just been disclosed in the TikTok app for Android, as well as TikTok on the web which made it relatively easy to bypass two-factor authentication entirely.

Uncovered by Lu3ky-13 on HackerOne, TikTok’s Android app had a gaping security hole that allowed users to bypass two-factor authentication without any special tools or methods. The vulnerability simply brute forces the login page, repeatedly logging in over and over again until, eventually, the two-factor authentication page is skipped and TikTok allows for a successful login to the account.

TikTok summarized the issue:

A vulnerability was found where a random timeout issue on a Two-Step Verification endpoint could have resulted in a potential bypass of authentication if multiple incorrect attempts were entered in quick succession. It was found that this vulnerability required access to the user’s email/password or phone number/code associated with the account and multiple bruteforcing attempts to bypass would be needed.

The vulnerability was first reported to TikTok in October 2022 and was patched in mid-December 2022 and is no longer active.

Of course, this vulnerability in TikTok assumes that a malicious party has your correct username and password. While this has been fixed, it’s a good reminder to keep up with password security, especially with recent security breaches such as the LastPass hack in recent memory.

You can see the vulnerability in action below.

More on Android:



Author: Ben Schoon
Source: 9TO5Google

Related posts
MobileNews

Here’s what your iPhone 16 will do with Apple Intelligence — eventually

MobileNews

Google announces a market-shifting deal to capture CO2

MobileNews

Bluesky lets you post videos now

AI & RoboticsNews

Datricks gets $15M from SAP and others for AI-powered risk and compliance platform

Sign up for our Newsletter and
stay informed!