The security loophole has since been fixed
The recent security breaches involving well-known tech companies, such as LastPass, have shed a harsh light on password issues, and how vulnerable users are as a result. It aided calls to make two-factor authentication a standard solution to make life difficult for hackers, and businesses are racing to implement it. Sure, pairing a password with a code sent via SMS or generated by some of the best 2FA apps like Google Authenticator seems like a solid second layer of security, but it’s not ironclad.
This is demonstrated by a recent 2FA flaw in TikTok’s app and website, which could have allowed hackers to gain access to your account without requiring 2FA. The security hole was discovered by Lu3ky-13 on HackerOne, demonstrating that it was possible to bypass the security measure without breaking a sweat (via 9to5Google). As shown in the video below, using brute force attacks to log in to a TikTok account rendered 2FA useless. The 2FA page is bypassed after numerous attempts to sign in.
TikTok acknowledged the security flaw, explaining that a random timeout issue on a 2FA endpoint was the culprit. According to the short-form video service, “multiple incorrect attempts” made in rapid succession may have allowed cybercriminals to bypass 2FA if they know your username and password.
The problem has now been fixed, although this isn’t the first time that TikTok’s 2FA feature has had a security loophole. In 2020, the year TikTok rolled out the feature, it was found that a hacker could circumvent 2FA by logging into a compromised account via a web browser instead of the mobile app, as per ZDNet. It turned out that TikTok only enabled 2FA for the mobile app, leaving out its website.
More recent incidents shed light on other loopholes in the app. Last year, a vulnerability in the app’s deeplink verification process was uncovered, which could have resulted in data breaches and malicious code execution. The latest vulnerability, which should be gone by now, highlights that 2FA has its share of weaknesses as the threat landscape evolves. That said, it remains a significant part of the broader multifactor authentication approach to security.