A month after TikTok rolled out multi-factor authentication (MFA) for its users, a ZDNet reader discovered that the company's new security feature was only enabled for the mobile app but not its website.
This lapse in TikTok's MFA implementation opens the door for scenarios where a malicious threat actor could bypass MFA by logging into an account with compromised credentials via its website, rather than the mobile app.
Reached out for comment on the ZDNet reader's findings, a TikTok spokesperson said the company plans to expand MFA to cover its official website in the coming future.
In the meantime, users who have enabled MFA for their TikTok account for security reasons should not be lowering their guard and reuse passwords from other accounts, thinking MFA blocks all attackers. These users should continue to use complex and hard-to-guess passwords.
TikTok web dashboard has limited features
However, while this is technically an "MFA bypass," the issue is also not as dangerous as it sounds due to the limited options available to TikTok users in the web dashboard.
For example, even if an attacker manages to guess or phish a TikTok user to obtain their account credentials, the attacker can't change the user's password via the web dashboard to fully hijack an account.
The only meaningful option they have at their disposal is to upload & post a video to deface the user's account or promote scams[1].
However, just because they can't hijack the account, this doesn't mean the account is useless. For example, attackers could mount a mass-defacement campaign to promote various topics, from scams to political propaganda.
One such incident happened on Facebook and Instagram[2] earlier this year, security researcher Zach Edwards[3] told ZDNet in an email interview this week. A mysterious hacker broke into Facebook and