TikTok 2FA Bypass via Third-Party Integration: A Critical Oversight I Discovered

Discovering a Two-Factor Authentication Bypass in TikTok’s Third-Party Login

While performing routine security testing, I found a critical vulnerability in TikTok’s authentication system that allows two-factor authentication (2FA) to be bypassed when logging in via third-party apps.

Description of the Issue

TikTok offers a “Sign in with TikTok” option that lets users access third-party apps like CapCut without entering separate credentials. However, I noticed that when using this method, the second step of verification—2FA—is completely skipped. Even if 2FA is enabled on the TikTok account, the login process through the third-party app never asks for the second authentication factor.

This effectively grants full access to the account with just a username and password, undermining the core security that 2FA is meant to provide.

Steps to Reproduce

  1. Enable two-factor authentication on a TikTok account.

  2. Use a third-party app, such as CapCut, that supports “Sign in with TikTok.”

  3. Attempt to log in to TikTok through this third-party app.

  4. Observe that the login proceeds without prompting for the 2FA code.

  5. Notice full account access is granted, despite 2FA being enabled.

Security and Privacy Impact

This vulnerability presents serious risks:

  • Bypassing 2FA Protections: Attackers can log in without needing the second factor, increasing the chance of unauthorized account access.

  • Inconsistent Security Enforcement: Users expect 2FA to be enforced regardless of login method.

  • Exposure of Sensitive Data: High-profile users relying on 2FA for account security become vulnerable through third-party logins.

  • Potential Account Takeovers: Without the second factor, attackers can fully compromise accounts.

Business Impact

If this flaw is exploited, it could:

  • Damage TikTok’s reputation for account security.

  • Result in loss of user trust, especially among creators and influencers.

  • Lead to data breaches, account hijackings, and related financial or legal consequences.

Conclusion

Even though my report was marked as a duplicate, this issue underscores the importance of enforcing two-factor authentication consistently across all login pathways. Users expect that enabling 2FA means their accounts are protected no matter how they log in.

Security should be seamless and universal, not selectively applied. Addressing these inconsistencies is crucial to maintaining trust and safeguarding user data.


Comments

Post a Comment

Popular posts from this blog

When an AI Search Engine Forgot Who It Was: A Bug Report That Changed Perplexity AI’s Identity

Image
 Back on March 11, 2024 , I discovered something oddly off about how Perplexity AI saw itself. I had just downloaded the newly launched Perplexity Chrome extension , even though I’d been using the mobile app long before that. Just for fun, I asked the most basic, yet revealing question imaginable: “Are you better than Google?” It seemed like the perfect litmus test for a product that claims to reinvent search. But to my surprise, the response had nothing to do with Perplexity. Instead, it launched into a comparison between ChatGPT and Google. I was stunned - this wasn’t a chatbot; this was Perplexity, a search engine. Why was it talking like it was just a wrapper for OpenAI? Curious (and confused), I switched to the app version and asked the same question. The response was identical: Perplexity was still comparing ChatGPT to Google, completely ignoring its own identity in the process. That’s when it hit me - this wasn’t just a UX quirk; it was a core product logic bug . It wasn...
Read more

Understanding Android’s One-Time Permissions and Their Privacy Implications

I recently came across something unusual in Android’s one-time permission system — something that doesn’t quite match the way it’s described in the official documentation. This is related to the permissions we often see when an app asks for access to sensitive resources like the microphone or camera with the setting “Ask every time.” According to Android’s official documentation, one-time permissions should work like this: When the app is visible and in use, it can access the requested resource. If the app is sent to the background, it may still access the resource briefly. If the app is completely closed — either by swiping it away or force stopping it — the permission is revoked immediately. That means, in theory, if I close an app after granting it one-time access, it should ask me again the next time it needs that permission. What I Found While testing, I discovered that Android doesn’t always revoke these permissions instantly when the app is closed. Instead, if ...
Read more

I Accidentally Gained Admin Access to a LinkedIn Company Page - No Verification Needed

I’ve been using LinkedIn for years as a way to connect with professionals, follow companies, and share my work. It’s a platform trusted by millions for networking and recruitment. Company pages are especially important — they act as the official voice of an organization, showing job listings, updates, and brand presence. Recently, while casually browsing LinkedIn, I stumbled upon something that made me stop and rethink how secure this feature really is. I found that it’s possible to take full administrative control of certain company pages without any verification at all. No company email, no proof of employment, no review by HR or LinkedIn — just instant access. How I Discovered It It all started with a LinkedIn post about a drone technology company. Out of curiosity, I clicked through to see their LinkedIn profile. The page didn’t look like the usual auto-generated company pages LinkedIn creates when several employees list the same workplace. Instead, it looked like a manually create...
Read more