silversurfer
Level 85
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Malware Hunter
Well-known
- Aug 17, 2014
- 10,210
A month after TikTok rolled out multi-factor authentication (MFA) for its users, a ZDNet reader discovered that the company's new security feature was only enabled for the mobile app but not its website.
This lapse in TikTok's MFA implementation opens the door for scenarios where a malicious threat actor could bypass MFA by logging into an account with compromised credentials via its website, rather than the mobile app.
Reached out for comment on the ZDNet reader's findings, a TikTok spokesperson said the company plans to expand MFA to cover its official website in the coming future.
In the meantime, users who have enabled MFA for their TikTok account for security reasons should not be lowering their guard and reuse passwords from other accounts, thinking MFA blocks all attackers. These users should continue to use complex and hard-to-guess passwords.
You can bypass TikTok's MFA by logging in via a browser
Enabling MFA in the TikTok mobile app doesn't apply it for the web dashboard. TikTok promised to fix the issue.
www.zdnet.com