Warning: TikTok Exploit going around

Please move if this is not the correct section. This is just meant as a warning to all Swapd users involved with TikToks

Multiple of my verified / OGs accounts received DMs of random (verified) accounts today. Directly after responding to their message, the users forwarded me a fake audio / profile message. See attachments below. These messages are apparently meant to steal your session ID or login information. And used to bypass 2Fa.

Your username and verified account might be at risk this way. According to what I have been informed of, is that multiple accounts have been hacked this way.

This message is meant as a precaution to everyone on here that owns or deals with verified or OG TikToks. Stay safe. Luckily the trick didn’t work on my accounts.

Do not open, click or engage in a chat with an account you don’t know.

(yes I was dumb enough to respond to them lol)



12 Likes

Thank you for this

2 Likes

The only explanation is if he attached something to the song file he published on TikTok. And when he sends that file, which is already on TikTok, you don’t need to click on it because it’s autonomously downloaded to you? Meybe something like that? What so you think?

2 Likes

Doesn’t seem like an actually sound, and not willing to click it. I assume he somehow disguises a file or link and makes it look like its an ‘audio’. So we are more likely to click / open. Afterwards it activates to automatically steal your session cookies/ID and they are in without needing your password. Scary stuff nonetheless, especially if he claims its supposed to work without click

3 Likes

One of my friends got fucked with this today unfortunately :sob:

2 Likes

If someone has an account with hackerone, please submit this:

3 Likes

Pretty much. The file doesn’t necessarily need to be pre-published, but there’s some sort of input handling breaking down, and the attacker’s able to inject malformed “video” content that allows them some sort of RCE (remote code execution), and as you mentioned the trend over the last 10 years has been to lean to server-side Javascript execution (XSS).

I suspect there is no ‘song’ attached to begin with, it’s just the malformed injection code.

Also likely that the “zero click” aspect @vnc mentioned has to do with TikTok audio downloading content by default (and/or auto downloading friend’s content), therefore auto-executing the code, and that the user in the screenshot had disabled it, confusing the script kiddie.

Cool info overall, thanks for the heads up OP!

5 Likes

Client just got hacked with this so bumping

I got hacked with same thing

1 Like

I think it’s going on instagram too, as i saw some random request messages on one of my instagram account, it was random like “super” “amazing”

But i never opened them and after seeing this tiktok thread I’m damn sure it was also a trick to get login details via session ID from IG accounts

So everyone please be aware.

https://www.tiktok.com/@femboy27748

Here’s the account btw if anyone wants to ban it

2 Likes

Is that the hacker’s account or the hacked account?

That’s the hackers account

They literally followed like 6 of my accounts