Uh-Oh! TikTok's Multi-Factor Authentication Can Be Bypassed in Browsers

TikTok is still going strong despite the tension surrounding the app's future in the USA. However, there's a significant issue with one great security feature the app added in August. Tiktok's mult-factor authentication can easily be skipped entirely if you log into the platform using a web browser.

TikTok finally adding some form of two-factor authentication was heralded as a great and much-needed new feature earlier this year. However, it turns out the multi-factor authentication only kicks in if TikTok is used on a mobile phone. In effect, this means that if bad actors got hold of a user's login credentials, they can gain access to their account simply by logging in through a browser, entirely dodging the MFA step.

TikTok tersely stated that they intend to expand their MFA functionality to cover web browser usage in the near future.

Thankfully, even if an assumed attack managed to take over a TikTok account through the browser MFA skip exploit, things are not as scary as they appear. The web dashboard available in the browser version of the platform has limited functionality compared to the mobile version. For example, complete account takeover through a password change is not possible. This sort of access and functionality is only present in the mobile app.

However, the bad actors could still use the compromised account to post video clips through it, spreading scams or trying to compromise the user in some other way. Those relatively limited options are not without consequence, as a possible en masse takeover of accounts can be used to run well-organized scams and propagate fake news.

One other issue that was discovered with the web dashboard is that a user on mobile does not get any sort of notification that their account is being used on a browser at the moment. Hopefully, this will be addressed in the future, together with the MFA fix for browsers.

Why you should use MFA whenever you can

Multi-factor authentication has become a relatively widespread extra security measure that platforms offer to their users. MFA usually forces anyone attempting to log into an account to provide a special security key or token, often delivered by text to a known and trusted mobile device number. This severely limits the probability of bad actors brute-forcing passwords or using phished out credentials to take over accounts on any platform, as an extra step is introduced that requires access to the user's mobile phone.

This does not mean that MFA offers 100% security against attacks, as there have been known cases of circumventing certain implementations of MFA. In spite of that fact, it is a tool that should always be used when available as it vastly lowers the risk for your account on any given platform.

September 29, 2020

Leave a Reply