A U.K. security agency warned TikTok about the exploited vulnerability more than a year earlier, but the company chose not to fix it.

By Emily Baker-White, Forbes Staff

Weeks before Turkey’s authoritarian president, Recep Tayyip Erdoğan, eked out a narrow reelection in May, TikTok’s acting security chief, Kim Albarella, received a piece of bad news: As many as 700,000 TikTok accounts in Turkey had been compromised by a hack that allowed attackers to access users’ private information and control their accounts.

Internal emails, chat logs, documents, and other sourcing from inside and outside of TikTok reveal that the company was made aware of the vulnerability, which stemmed from its so called “greyrouting” of SMS messages through insecure channels, more than a year earlier: In April 2022, TikTok’s security chief Roland Cloutier received an email from the U.K.’s National Cyber Security Centre, a division of the nation’s top intelligence agency, GCHQ, warning that this practice could allow “SIM farms” in Russia and other countries to request and intercept one-time passwords to gain access to TikTok users’ accounts.

In layman’s terms, greyrouting means sending SMS text messages through unsecured channels in order to bypass fees established by international telecommunications agreements. Using greyroutes can save companies money and help them avoid guardrails like rate limits and anti-spam detection, but doing so can compromise messages’ security, making them vulnerable to interception.

Cloutier’s team internally investigated the GCHQ tip, and learned that ByteDance was indeed using greyrouting to keep costs down. The company then considered changing its SMS message providers, but decided against the change, apparently because the fix would have cost the company millions of dollars each month.

Alex Stamos, director of the Stanford Internet Observatory and former security chief for Facebook, cautioned that without more information, it’s hard to know how significant the breach was. “This could range from a super advanced spam attack to a state actor,” he said. “If you’d just told me 700,000 accounts, I’d tell you that’s a Wednesday.” But he noted that SMS hijacking attacks are often more targeted than random takeovers, and “authoritarian states almost always have control of telecom companies.”

This exploit is the largest known compromise of TikTok accounts that has been acknowledged as genuine by the company. (TikTok denied reports of another alleged attack in September 2022.) . . .
 More > Forbes