TikTok 2FA Bypass via Third-Party Integration: A Critical Oversight I Discovered

While conducting routine security testing, I discovered a critical vulnerability in TikTok’s authentication system that allows two-factor authentication (2FA) to be bypassed—despite it being enabled.

Specifically, when logging into TikTok through a third-party app like CapCut using the “Sign in with TikTok” feature, I noticed that the 2FA prompt never appeared. Instead, the login process granted full access to the account without requiring the second verification step, completely undermining the protection 2FA is supposed to offer.

This issue is especially concerning for users with high-profile or sensitive accounts who depend on 2FA to secure their information. Even though I reported the vulnerability, it was ultimately marked as a duplicate in TikTok’s system. However, that doesn’t diminish the risk posed by this inconsistency.

It’s essential that 2FA be enforced not just within TikTok’s own app, but across all third-party services that use its login infrastructure. Security should be seamless, consistent, and enforced universally. Anything less leaves room for exploitation.

Comments

Post a Comment

Popular posts from this blog

🚨When an AI Search Engine Forgot Who It Was: A Bug Report That Changed Perplexity AI’s Identity

Image
 Back on March 11, 2024 , I discovered something oddly off about how Perplexity AI saw itself. I had just downloaded the newly launched Perplexity Chrome extension , even though I’d been using the mobile app long before that. Just for fun, I asked the most basic, yet revealing question imaginable: “Are you better than Google?” It seemed like the perfect litmus test for a product that claims to reinvent search. But to my surprise, the response had nothing to do with Perplexity. Instead, it launched into a comparison between ChatGPT and Google. I was stunned - this wasn’t a chatbot; this was Perplexity, a search engine. Why was it talking like it was just a wrapper for OpenAI? Curious (and confused), I switched to the app version and asked the same question. The response was identical: Perplexity was still comparing ChatGPT to Google, completely ignoring its own identity in the process. That’s when it hit me - this wasn’t just a UX quirk; it was a core product logic bug . It wasn...
Read more

When Two-Factor Authentication Becomes Too Easy: A Surprising Instagram Security Flaw

Two-factor authentication (2FA) is supposed to be a cornerstone of digital security. It’s that extra lock on the door — a way to prove you’re really you, not just someone with your password. But what happens if that lock can be turned on silently, without your knowledge? While testing Instagram’s multi-account feature on their mobile app, I discovered a surprising and concerning flaw: when creating a second Instagram account using the same Gmail address within the app, the system automatically enables SMS-based 2FA on the new account without any verification . Yes, you read that right — no SMS code, no confirmation, nothing. How This Happens Imagine you’re logged into Instagram Account A, which already has two-factor authentication enabled with your verified phone number. From there, you use Instagram’s “Add Account” → “Create New Account” option and register a second account, Account B, with the same Gmail . When you try to enable 2FA via text message on Account B, Instagram doesn’...
Read more

Privacy Settings Bypassed: Hidden Likes Still Visible Through Facebook Reels

Facebook allows users to control who can see the number of likes on their posts. For those who prefer privacy, there’s an option to make likes visible only to themselves — a simple setting designed to keep that engagement private. But here’s the catch: despite this privacy setting, a surprising loophole exists. Likes that are hidden on the post itself can still be viewed by others through the Reels feature . This inconsistency creates an unintended privacy gap, potentially exposing user engagement data that was meant to stay private. What’s Happening? Users who choose “Only Me” for like visibility expect that no one else can see their like counts on posts. While Facebook respects this setting on the main post, the same setting is not enforced in Reels. When others view the Reel related to the post, they can see the total likes — completely bypassing the user’s privacy preferences. Why This Is a Problem Privacy settings are fundamental to user trust. If a user takes the time to hi...
Read more