SWAPD is a trusted middleman service dedicated to offering our users the safest way to buy, sell, or trade items and services of virtual nature. SWAPD opens doors for you to earn and rise to fame in the digital universe by connecting you with vast network of buyers, sellers, and opportunities.
Please move if this is not the correct section. This is just meant as a warning to all Swapd users involved with TikToks
Multiple of my verified / OGs accounts received DMs of random (verified) accounts today. Directly after responding to their message, the users forwarded me a fake audio / profile message. See attachments below. These messages are apparently meant to steal your session ID or login information. And used to bypass 2Fa.
Your username and verified account might be at risk this way. According to what I have been informed of, is that multiple accounts have been hacked this way.
This message is meant as a precaution to everyone on here that owns or deals with verified or OG TikToks. Stay safe. Luckily the trick didnât work on my accounts.
Do not open, click or engage in a chat with an account you donât know.
The only explanation is if he attached something to the song file he published on TikTok. And when he sends that file, which is already on TikTok, you donât need to click on it because itâs autonomously downloaded to you? Meybe something like that? What so you think?
Doesnât seem like an actually sound, and not willing to click it. I assume he somehow disguises a file or link and makes it look like its an âaudioâ. So we are more likely to click / open. Afterwards it activates to automatically steal your session cookies/ID and they are in without needing your password. Scary stuff nonetheless, especially if he claims its supposed to work without click
Pretty much. The file doesnât necessarily need to be pre-published, but thereâs some sort of input handling breaking down, and the attackerâs able to inject malformed âvideoâ content that allows them some sort of RCE (remote code execution), and as you mentioned the trend over the last 10 years has been to lean to server-side Javascript execution (XSS).
I suspect there is no âsongâ attached to begin with, itâs just the malformed injection code.
Also likely that the âzero clickâ aspect @vnc mentioned has to do with TikTok audio downloading content by default (and/or auto downloading friendâs content), therefore auto-executing the code, and that the user in the screenshot had disabled it, confusing the script kiddie.