Illustration by Angelica Alzona for Forbes
A U.K. security agency warned TikTok about the exploited vulnerability more than a year earlier, but the company chose not to fix it.
By Emily Baker-White, Forbes Staff
Weeks before Turkey’s authoritarian president, Recep Tayyip Erdoğan, eked out a narrow reelection in May, TikTok’s acting security chief, Kim Albarella, received a piece of bad news: As many as 700,000 TikTok accounts in Turkey had been compromised by a hack that allowed attackers to access users’ private information and control their accounts.
Internal emails, chat logs, documents, and other sourcing from inside and outside of TikTok reveal that the company was made aware of the vulnerability, which stemmed from its so called “greyrouting” of SMS messages through insecure channels, more than a year earlier: In April 2022, TikTok’s security chief Roland Cloutier received an email from the U.K.’s National Cyber Security Centre, a division of the nation’s top intelligence agency, GCHQ, warning that this practice could allow “SIM farms” in Russia and other countries to request and intercept one-time passwords to gain access to TikTok users’ accounts.
In layman’s terms, greyrouting means sending SMS text messages through unsecured channels in order to bypass fees established by international telecommunications agreements. Using greyroutes can save companies money and help them avoid guardrails like rate limits and anti-spam detection, but doing so can compromise messages’ security, making them vulnerable to interception.
Cloutier’s team internally investigated the GCHQ tip, and learned that ByteDance was indeed using greyrouting to keep costs down. The company then considered changing its SMS message providers, but decided against the change, apparently because the fix would have cost the company millions of dollars each month.
Alex Stamos, director of the Stanford Internet Observatory and former security chief for Facebook, cautioned that without more information, it’s hard to know how significant the breach was. “This could range from a super advanced spam attack to a state actor,” he said. “If you’d just told me 700,000 accounts, I’d tell you that’s a Wednesday.” But he noted that SMS hijacking attacks are often more targeted than random takeovers, and “authoritarian states almost always have control of telecom companies.”
This exploit is the largest known compromise of TikTok accounts that has been acknowledged as genuine by the company. (TikTok denied reports of another alleged attack in September 2022.) In response to a detailed list of bullet points and questions about the attack, TikTok spokesperson Alex Haurek wrote in an email, “TikTok became aware of unusual activity in April that affected the number of likes and accounts being followed on some user accounts. We immediately took steps to reverse and terminate this activity, notified affected users, and helped them secure their accounts.”
Haurek continued, “TikTok was not ‘hacked.’ None of our internal systems were compromised and no company data was exfiltrated. When TikTok became aware of the incident in question, we immediately ramped up monitoring for inauthentic behavior, while working to mitigate the issue, which has since been resolved.” He said TikTok did not find any evidence that “unauthorized content was posted or used in direct messages."
This security breach emphasizes the power and responsibility that TikTok now holds as one of the most popular apps in the world.
TikTok and its parent company, ByteDance, have faced harsh scrutiny in recent months for misleading lawmakers about their data security practices. In April, Forbes revealed that the company had stored sensitive financial information from thousands of U.S. vendors and creators in China, despite testimony from TikTok CEO Shou Zi Chew at a recent hearing that “American data has always been stored in Virginia and Singapore.” Meanwhile, ByteDance is under federal criminal investigation for using the TikTok app to spy on journalists, including this reporter. (Disclosure: in a former life, I held policy positions at Facebook and Spotify.)
It is also not clear who exploited the vulnerability. Under Erdogan, the Turkish government has a history of using state-sponsored troll networks to hack and intimidate journalists and other critics. In the run-up to the May election, Erdogan relied on deepfakes and censorship to help swing voters his way. His main opponent in the election, Kemal Kilicdaroglu, also accused Russia’s government of distributing false information during the days before the election. Haurek said an internal TikTok investigation found no evidence that the activity was related to the Turkish elections.
This security breach emphasizes the power and responsibility that TikTok now holds as one of the most popular apps in the world. Like tech giants Meta, Twitter, and Google, its endless feed of personalized recommendations has the power to move markets, change culture and swing elections. This power has alarmed regulators concerned about the company’s ties to the Chinese state, but has also made its app a prime target for hackers, bot armies, scammers and others seeking to exploit its billions of users.
The risk of exploitation is heightened in states with records of human rights violations, and also in the periods leading up to major elections. TikTok has repeatedly deemphasized the role of politics on its platform, differentiating itself from Facebook, which previously encouraged politicians to use its platform for advocacy. Its lobbyists have told politicians and reporters that TikTok is “not the go-to place for politics,” while also assuring them that political speech on the app will not be censored. But with Twitter’s rightward shift and Meta’s 180-degree turn away from political content (a decision the company made after election deniers on its platforms helped incite the January 6, 2021 attack on the U.S. Capitol), TikTok may be the next natural place for political discourse.
This week, TikTok published a blog post announcing that the app is introducing passkeys — a way for users to log into their accounts without using SMS codes — and that it had joined a security trade group called the FIDO Alliance. A tweet from the FIDO Alliance shows that TikTok first joined the group in April, and the new passkeys feature rolled out in late-June.
When asked whether any TikTok or ByteDance SMS vendors were still engaged in greyrouting today, Haurek said, “Like many global companies, we have multiple partners in the telecommunications sector and, while we do not disclose those partners by geography, we continuously work to keep our community secure.”
