Recent Incidents
As Forbes first reported, TikTok revealed that a few celebrities' accounts, including CNN and Paris Hilton, were penetrated by simply sending a direct message (DM). Attackers apparently used a zero-day vulnerability in the messaging component to run malicious malware when the message was opened.
The NSA advised all smartphone users to turn their devices off and back on once a week for safety against zero-click assaults, however, the NSA accepts that this tactic will only occasionally prevent these attacks from succeeding. However, there are still steps you can take to protect yourself—and security software such as the finest VPNs can assist you.
TikTok’s Vulnerability: A Case Study in Zero-Click Exploits
As the name implies, a zero-click attack or exploit requires no activity from the victim. Malicious software can be installed on the targeted device without the user clicking on any links or downloading any harmful files.
This feature makes these types of attacks extremely difficult to detect. This is simply because a lack of engagement significantly minimizes the likelihood of hostile activity.
Cybercriminals use unpatched vulnerabilities in software code to carry out zero-click exploits, known as zero-day vulnerabilities. According to experts at security firm Kaspersky, apps with messaging or voice calling functions is a frequent target because "they are designed to receive and interpret data from untrusted sources"—making them more vulnerable.
Once a device vulnerability has been properly exploited, hackers can use malware, such as info stealers, to scrape your private data. Worse, they can install spyware in the background, recording all of your activity.
The Silent Threat
This is exactly how the Pegasus spyware attacked so many victims—more than 1,000 people in 50 countries, according to the 2021 joint investigation—without them even knowing it.
The same year, Citizen Lab security experts revealed that utilizing two zero-click iMessage bugs, nine Bahraini activists' iPhones were successfully infiltrated with Pegasus spyware. In 2019, attackers used a WhatsApp zero-day vulnerability to inject malware into communications via a missed call.
As the celebrity TikTok hack story shows, social media platforms are becoming the next popular target. Meta, for example, recently patched a similar vulnerability that could have let attackers to take over any Facebook account.
Protective Measures
- Regularly update your operating system, apps, and firmware. Patches often address known vulnerabilities.
- Enable automatic updates to stay protected without manual intervention.
- Download apps only from official app stores (e.g., Google Play, Apple App Store). Third-party sources may harbor malicious apps.
- Remove unused apps to reduce your attack surface.
- Enable MFA for all your accounts, especially social media platforms. Even if an attacker gains access to your password, MFA adds an extra layer of security.
- Use authenticator apps or hardware tokens instead of SMS-based codes.
- Be cautious when opening DMs, especially from unknown senders.
- Avoid clicking on links or downloading files unless you’re certain of their legitimacy.
- Treat media files (images, videos, audio) with suspicion.
- Avoid opening files from untrusted sources, even if they appear harmless.
- Modifying your device’s software (jailbreaking/rooting) weakens security.
- Stick to the official software to maintain robust defenses.