A vulnerability has just been disclosed in the TikTok app for Android, as well as TikTok on the web which made it relatively easy to bypass two-factor authentication entirely.
Uncovered by Lu3ky-13 on HackerOne, TikTok’s Android app had a gaping security hole that allowed users to bypass two-factor authentication without any special tools or methods. The vulnerability simply brute forces the login page, repeatedly logging in over and over again until, eventually, the two-factor authentication page is skipped and TikTok allows for a successful login to the account.
TikTok summarized the issue:
A vulnerability was found where a random timeout issue on a Two-Step Verification endpoint could have resulted in a potential bypass of authentication if multiple incorrect attempts were entered in quick succession. It was found that this vulnerability required access to the user’s email/password or phone number/code associated with the account and multiple bruteforcing attempts to bypass would be needed.
The vulnerability was first reported to TikTok in October 2022 and was patched in mid-December 2022 and is no longer active.
Of course, this vulnerability in TikTok assumes that a malicious party has your correct username and password. While this has been fixed, it’s a good reminder to keep up with password security, especially with recent security breaches such as the LastPass hack in recent memory.
You can see the vulnerability in action below.
More on Android:
- Windows 11’s Subsystem for Android is almost ready for its Android 13 upgrade
- Essential apps for hardcore Android users [Video]
- YouTube testing video queue on Android and iOS; here’s how to enable
The post TikTok fixed a security hole in its Android app that bypassed two-factor authentication [Video] first appeared on 9to5google.com