MADRID, Jan. 11 (Portaltic/EP) –
TikTok has resolved a vulnerability in the platform that allowed bypassing the two-step authentication system without specific tools or methods to access unauthorized accounts in Android mobiles.
Like the rest of the popular social networks, the service owned by ByteDance has an authentication system by email and telephone number with which it promises to offer the necessary protection to prevent attacks and identity theft.
However, a user of the HackerOne platform identified as Lu3ky-13 has discovered that the Android version of TikTok had a security flaw that allowed users to bypass this security system.
TikTok has explained in this forum that “This vulnerability was found to be required access to the email/password or phone number/usercode associated with the account” and that “it would take multiple attempts to bypass the brute force.”
Specifically, this bug allowed access to a certain platform account after repeatedly forcing the login. After completing the tiktok home page form, A window was displayed requesting a user login code sent to the phone number associated with that account.
If the arrow was pressed to return to the previous page, said interface would reappear with the username and password fields written (in case the option to ‘Remember’ the credentials was chosen) and allowed this process to be repeated several times: click on ‘Log in’ or ‘Enter’, go back when the two-step authentication box appears, and so on.
After several failed login attemptsthis error in the system ended up bypassing the two-factor authentication page and allowing login without going through this other security step.
It was in October 2022 when the platform was informed of said vulnerability, which was fixed by means of a security patch in December 2022 and is no longer active, as reported by 9to5Google.