TikTok’s 2FA feature was briefly vulnerable to brute force attacks

The recent security breaches involving well-known tech companies,such as LastPass, have shed a harsh light on password issues, and how vulnerable users are as a result. It aided calls to make two-factor authentication a standard solution to make life difficult for hackers, and businesses are racing to implement it. Sure, pairing a password with a code sent via SMS or generated by some of thebest 2FA appslike Google Authenticator seems like a solid second layer of security, but it’s not ironclad.

This is demonstrated by a recent 2FA flaw in TikTok’s app and website, which could have allowed hackers to gain access to your account without requiring 2FA. The security hole was discovered byLu3ky-13 on HackerOne, demonstrating that it was possible to bypass the security measure without breaking a sweat (via9to5Google). As shown in the video below, using brute force attacks to log in to a TikTok account rendered 2FA useless. The 2FA page is bypassed after numerous attempts to sign in.

4

TikTok acknowledged the security flaw, explaining that a random timeout issue on a 2FA endpoint was the culprit. According to the short-form video service, “multiple incorrect attempts” made in rapid succession may have allowed cybercriminals to bypass 2FA if they know your username and password.

The problem has now been fixed, although this isn’t the first time that TikTok’s 2FA feature has had a security loophole. In 2020, the year TikTok rolled out the feature, it was found that a hacker could circumvent 2FA by logging into a compromised account via a web browser instead of the mobile app, as perZDNet. It turned out that TikTok only enabled 2FA for the mobile app, leaving out its website.

The TikTock logo against a cutout of the AndroidPolice logo with musical notes in the background

More recent incidents shed light on other loopholes in the app. Last year, avulnerability in the app’s deeplink verification processwas uncovered, which could have resulted in data breaches and malicious code execution. The latest vulnerability, which should be gone by now, highlights that 2FA has its share of weaknesses as the threat landscape evolves. That said, it remains a significant part of the broader multifactor authentication approach to security.

The note-taking app I should have used all along

Browsers

Broader branding hints at wider paid-tier ambitions

Expanded dark theme is here

Samsung Notes logo in front of image containing S Pen and devices using Samsung Notes

Get 14 ports for $170

It helped me wind down before bed

Google Home icon with some gadgets around it.

Check your order status!