Last week, CNN's official TikTok account was compromised by a hacker, leading the network to temporarily take down the account. The breach, which exploited a zero-day vulnerability in TikTok's direct message feature, is part of a broader trend of similar high-profile account takeovers on the platform.
The breach was first reported by Semafor. A CNN spokesperson confirmed the incident and stated that the network is collaborating with TikTok to enhance cybersecurity measures. This collaboration aims to secure the account at an important time, with upcoming events like the presidential debate.
Discovery and response
The vulnerability was identified as a zero-day flaw, meaning it was previously unknown and had no official patch. Attackers exploited this flaw by sending malicious code via direct messages (DMs) on TikTok. Simply opening these DMs allowed the malicious code to execute, compromising the accounts without any further action required from the users. Other notable victims of this attack include Paris Hilton and a Sony brand account.
TikTok's spokesperson, Alex Haurek, acknowledged the issue and stated that the security team is actively addressing the vulnerability. Although the number of compromised accounts is reported to be very small, TikTok has not disclosed specific figures. Haurek emphasized that TikTok is working directly with affected account owners to restore access and prevent future attacks.
Impact and implications
CNN, a global news network, has over 90 million households in the U.S. and operates numerous international news channels. The breach highlights the importance of stringent digital security practices, particularly for organizations with large followings and high public profiles.
Internally, some CNN staffers admitted that the organization had become lax in its digital security protocols. Before the hack, dozens of employees had access to the TikTok account, potentially increasing vulnerability. However, it was clarified that the breach did not stem from internal access but rather from the exploitation of the TikTok DM vulnerability.
TikTok's security and legal challenges
This incident is not isolated. TikTok, a platform with over a billion global users, has faced multiple security challenges over the years.
In 2022, Microsoft researchers discovered a vulnerability allowing account takeovers through a single click. In 2023, insecure SMS channels for two-factor authentication led to the compromise of 700,000 accounts in Turkey, coinciding with the country's presidential elections.
These security issues come amid growing concerns from lawmakers about TikTok's privacy practices and potential connections to the Chinese government through its parent company, ByteDance. In April, U.S. lawmakers passed legislation requiring ByteDance to divest from TikTok or face a ban in the United States. This move followed fears of potential espionage and influence over American users' data and content consumption.
Defensive recommendations
To mitigate such risks, organizations should:
- Limit access to social media accounts to essential personnel only.
- Regularly update and audit security protocols.
- Enable multi-factor authentication using secure methods.
- Educate staff on recognizing and handling suspicious messages.
For TikTok users, it is crucial to:
- Avoid opening unexpected or suspicious DMs.
- Regularly update account passwords.
- Monitor account activity for unauthorized actions.
- As TikTok continues to address these vulnerabilities, users and organizations alike must remain vigilant and proactive in their cybersecurity practices to safeguard against future attacks.
Major Cyber Threats Cast Shadow Over the 2024 Paris Olympics
Leave a Reply