How to hack TikTok accounts: 5 common vulnerabilities

Profile picture of Jessica Truong Hacker Noon

Jessica truong

Interested in security? Track content within cybersecurity

TikTok has become one of the most popular and widely used social media platforms. It is an app that allows users to share and watch videos, between fifteen seconds and three minutes, of people you follow (such as celebrities, your friends and family members). Unfortunately, since it is a popular app, it has become an easy target for hackers. This article will discuss five common vulnerabilities in TikTok and how to protect yourself against them.

TikTok Hacks and Vulnerabilities:

  1. Cross-site script (XSS)
  2. Phishing emails
  3. Remote keyloggers
  4. Zero-Day Vulnerabilities
  5. Weak passwords

1. Cross-site script (XSS)

Cross-Site Scripting is a “vulnerability that allows the execution of unauthorized JavaScript code on a website” (MalCare). There are two types of XSS: reflected and stored. Reflective XSS is considered less dangerous and “is a one-off attack where the payload sent in a reflective XSS attack is only valid on that single request” (sciencedirect). Whoever “clicks on the link that contains the malicious script will be the only person directly affected by this attack.” Let’s take a look at an example of the XSS attack on TikTok.

In 2020, Muhammed Taskiran, security researcher, discovered a vulnerability linked to “a URL parameter on the domain that has not been properly cleaned” (zdnet). While in the process of scrambling the platform, he discovered that “this issue could be exploited to perform thoughtful cross-site scripting, potentially leading to the execution of malicious code in a user’s browser session.” .

So what does this mean for the TikTok user? Well, if the attackers have successfully executed malicious code (i.e. scripts) in a user’s browser session then the user’s session has been hijacked and the attacker can do What he wants ! They can redirect user to malicious websites, record user’s online activity or even download malicious files to user’s system and hijack their device.

How to protect yourself against XSS attacks

To protect and prevent an XSS attack, you should use data disinfection on the domain to ensure that only the correct variables are inserted.

2. Phishing emails


Phishing emails are an easy way for hackers to hack TikTok accounts. The hacker can send fake emails to users pretending they are from TikTok. The content of emails may indicate, for example, that your account has been compromised and requires your credentials to help recover your account. This is just one example of how a cybercriminal can manipulate you to enter your personal information.

In 2019, there was a vulnerability that allowed hackers to “use a link in TikTok’s messaging system to send users messages that appeared to be from TikTok” (nytimes). If users clicked on the link, hackers could access and take control of all accounts. Hackers could do whatever they wanted with the account (post videos, view users’ private videos, etc.).

How to protect yourself against phishing attacks

Users need to be educated and informed about the characteristics of phishing emails in order to be able to spot them. Here is what you can do:

  • Don’t click any links or open any attachments from suspicious emails
  • Do not enter any personal information from a pop-up screen (note: legitimate businesses would never ask for personal information this way)
  • Pay close attention to spelling mistakes in email content

3. Remote keyloggers

Remote keyloggers mainly affect our mobile device or laptop as the cybercriminal needs to access your device first and then install software to record everything you type on your keyboard. This means that if you log into personal accounts (email, bank, Tiktok, etc.), each key will be saved. The hacker will have this information and can hack your account.

How to protect yourself from remote keyloggers

  • Do not use third-party keyboard apps
  • Do not open any attachments or click links in email messages as the keylogger may be embedded in the attachment
  • Install anti-spyware applications to help detect, disable and quarantine software keyboard loggers

4. Zero-Day Vulnerability

Zero-day vulnerabilities are new security vulnerabilities that may be known to software vendors, but no patch exists yet to fix the vulnerability. As a result, it would allow hackers to exploit the vulnerability. If a hacker discovers a vulnerability with TikTok (i.e. with the source code or the database), then hackers can disclose all user data.

How to Protect Against Zero-Day Vulnerabilities

There is no way to completely avoid zero-day vulnerabilities, but you can do the following as additional security precautions to prevent hackers from entering your TikTok account:

  • Make sure you are using the latest version of TikTok
  • Enable two-factor authentication

5. Weak passwords


Hackers can easily hack TikTok accounts by guessing the password, especially if the password is simple and commonly used, like nickname, phone number, partner name, pet name, to name a few. Of course, the hacker can also perform a brute force attack on the user’s password if the password is a bit more difficult to guess.

How to protect yourself against weak passwords

Users should select a strong password consisting of numbers, symbols, a space bar, and upper and lower case letters. Note that your TikTok account password is unique and is not the same as that used for other email or social media accounts. This would reduce the risk of your account being compromised. You can also use this website, HaveIBeenPwned, to verify that your account is secure and that your credentials have been disclosed to the public.

Final thoughts on TikTok hacks and how to prevent them

These are just five common vulnerabilities that can allow attackers to hack TikTok accounts and how to protect yourself against each one. I’m sure there are lots of other techniques out there, but these are just a few that I have found to be important.

Hackers are always one step ahead of finding new techniques where prevention might not be possible in the beginning. Therefore, you should make sure that you do everything possible to make sure that your account is secure.



About Author

Comments are closed.