TikTok fixed a security hole in its Android app that bypassed two-factor authentication [Video]

bypass two-factor authentication

A vulnerability has just been disclosed in the TikTok app for Android, as well as TikTok on the web which made it relatively easy to bypass two-factor authentication entirely.

Uncovered by Lu3ky-13 on HackerOne, TikTok’s Android app had a gaping security hole that allowed users to bypass two-factor authentication without any special tools or methods. The vulnerability simply brute forces the login page, repeatedly logging in over and over again until, eventually, the two-factor authentication page is skipped and TikTok allows for a successful login to the account.

TikTok summarized the issue:

A vulnerability was found where a random timeout issue on a Two-Step Verification endpoint could have resulted in a potential bypass of authentication if multiple incorrect attempts were entered in quick succession. It was found that this vulnerability required access to the user’s email/password or phone number/code associated with the account and multiple bruteforcing attempts to bypass would be needed.

The vulnerability was first reported to TikTok in October 2022 and was patched in mid-December 2022 and is no longer active.

Of course, this vulnerability in TikTok assumes that a malicious party has your correct username and password. While this has been fixed, it’s a good reminder to keep up with password security, especially with recent security breaches such as the LastPass hack in recent memory.

You can see the vulnerability in action below.

More on Android:

Author: Ben Schoon
Source: 9TO5Google

Related posts

Apple Arcade games for iPhone, Mac, Apple TV [New: Castle Crumble]


OnePlus Ace 2 coming with a dedicated power management chip for its 5,000 mAh battery


Google Messages removed Assistant but might replace it with ‘Spotlights’


Google hosting Search and AI event next week

Sign up for our Newsletter and
stay informed!