A month after TikTok rolled out multi-factor authentication (MFA) for its users, a ZDNet reader discovered that the company's new security feature was only enabled for the mobile app but not its website.
This lapse in TikTok's MFA implementation opens the door for scenarios where a malicious threat actor could bypass MFA by logging into an account with compromised credentials via its website, rather than the mobile app.
Reached out for comment on the ZDNet reader's findings, a TikTok spokesperson said the company plans to expand MFA to cover its official website in the coming future.
In the meantime, users who have enabled MFA for their TikTok account for security reasons should not be lowering their guard and reuse passwords from other accounts, thinking MFA blocks all attackers. These users should continue to use complex and hard-to-guess passwords.
TikTok web dashboard has limited features
However, while this is technically an "MFA bypass," the issue is also not as dangerous as it sounds due to the limited options available to TikTok users in the web dashboard.
For example, even if an attacker manages to guess or phish a TikTok user to obtain their account credentials, the attacker can't change the user's password via the web dashboard to fully hijack an account.
The only meaningful option they have at their disposal is to upload & post a video to deface the user's account or promote scams.
However, just because they can't hijack the account, this doesn't mean the account is useless. For example, attackers could mount a mass-defacement campaign to promote various topics, from scams to political propaganda.
One such incident happened on Facebook and Instagram earlier this year, security researcher Zach Edwards told ZDNet in an email interview this week. A mysterious hacker broke into Facebook and Instagram accounts, changed the users' avatars to an image of an ISIS flag, and the accounts were suspended and locked after being flagged by Facebook's image recognition algorithms, making account recovery a painful and long process for the hacked users.
Moreover, Edwards raises additional questions.
"If TikTok doesn't actually turn on 2-factor security for an account when a user sets that up, it raises questions about whether the cell phone numbers are being used for a different purpose," Edwards said.
"It's a well-known fact that Facebook and other companies have abused 2-factor SMS signups, and a clear indicator that TikTok has done something similar is the reality that the TikTok 2-factor is an illusion, and totally optional when using the website login features."
The "Active Sessions" page will need to be fixed as well
The good news is that TikTok does intent to fix this issue. However, several other issues will also have to be addressed.
The ZDNet reader who brought this issue to our attention also pointed out that the TikTok mobile app doesn't show sessions taking place in real-time from the web dashboard. In its current form, this means that TikTok doesn't warn users when someone used their credentials to access their TikTok account via a browser.
Nonetheless, even if there's a loophole in TikTok's current MFA implementation, this doesn't mean users shouldn't use it. In fact, they should most definitely use it.
MFA is a security measure that forces users who are accessing an account to provide a second "factor" after providing their username and password. This factor can usually take the form of a one-time code sent via SMS or email, a biometric solution, or a cryptographic token provided by a security key.
Many online companies provide MFA as a second layer of authentication in order to protect accounts against situations where the owner's credentials have been leaked or acquired by a third-party.
TikTok rolled out SMS and email-based MFA to its 800 million userbase last month in August. The feature is called two-step verification (2SV) in the app's settings page, and users can enable it by following the steps laid out here.
The company also requires users by default to use complex passwords and also "encourage users to update passwords regularly and avoid using the same passwords across platforms," a spokesperson said.
In addition, the web login page is also protected by a CAPTCHA field, which seriously increases the threshold for successful credential-stuffing or other forms of automated attacks.
But to be clear, other social media apps like Facebook, Twitter, Instagram, and others, support MFA on their web dashboards and this security feature should apply to all a service's realty, and not just the mobile app.