Fake TikTok OAuth 'Sign in with TikTok' Consent Phishing Scam
Malicious third-party apps and websites abuse TikTok's OAuth login integration to request excessive permissions — or replicate the TikTok login flow on fake pages — to steal creators' account access tokens.
Part of: Social Login & OAuth Phishing
Last reviewed: 8 June 2026
TikTok offers an OAuth integration that allows third-party creator tools — analytics dashboards, scheduling apps, and caption generators — to connect to TikTok accounts with the user's permission. When used properly, this requires the user to approve specific, limited permissions on TikTok's own authorisation page.
Scammers build tools advertised to creators, promising follower growth, viral analytics, or automated posting. When creators connect the tool via 'Sign in with TikTok,' the fake consent flow requests broad permissions — including the ability to post on the creator's behalf and access private follower data — or is hosted on a fake page that captures credentials.
With an access token, the attacker can post content on the creator's account, access follower data, and use the account for amplification campaigns without the creator's knowledge.
How this scam works on the TikTok brand
A TikTok creator sees an ad for a free analytics tool promising detailed follower growth stats. They click 'Connect TikTok' and are taken to what appears to be TikTok's authorisation page. The requested permissions include 'Manage your account, post on your behalf, read your direct messages, and access your followers.'
If the creator approves, the attacker's server stores the access token indefinitely. The creator may see unusual posts appearing on their account or receive reports from followers about DMs they did not send.
In a separate credential-theft variant, the 'Sign in with TikTok' button leads to a page at tiktok-auth.analytictool.com rather than www.tiktok.com, where a form captures the creator's TikTok username and password directly.
Common red flags
- TikTok's OAuth authorisation page URL must be www.tiktok.com/v2/auth — any other domain is fraudulent.
- Requested permissions that include posting content, accessing DMs, or managing followers for a read-only analytics tool are excessive.
- The third-party app is advertised via social media ads or DMs rather than in TikTok's own Creator Marketplace.
- The tool was not launched through a reputable developer with a verifiable privacy policy and business registration.
- After connecting the tool, you notice posts or DMs sent from your account that you did not create.
- Your TikTok login credentials are requested on any page other than www.tiktok.com.
How to protect yourself
- Review all third-party apps connected to your TikTok account at tiktok.com/settings/security (Connected Apps) and revoke any you do not recognise.
- Before approving TikTok OAuth permissions, read each permission carefully and reject requests for posting or DM access from analytics-only tools.
- Enable two-factor authentication on TikTok via Settings > Security > 2-Step Verification.
- If you approved a suspicious app, revoke its access immediately and change your TikTok password.
- Check your TikTok account's recent posts and sent DMs for any content you did not create.
How to report it
- Report the malicious app to TikTok through the Help Center at support.tiktok.com.
- Report the phishing website to Google Safe Browsing at safebrowsing.google.com/safebrowsing/report_phish/.
- Report to the FTC at ReportFraud.ftc.gov.
- UK users: report to Action Fraud at actionfraud.police.uk.
Frequently asked questions
How do I check which apps are connected to my TikTok account?
Go to TikTok Settings > Security > Authorised Apps (or Connected Apps). Review each listed app and tap Remove for any you do not recognise or no longer use.
Can a third-party app post on TikTok on my behalf?
Yes, if you grant it that permission through TikTok's OAuth flow. This is why it is critical to read the permission screen carefully before approving any third-party connection.
Revoking an app's TikTok access — does it undo what the app already did?
Revoking access prevents future actions but does not reverse posts or data exports the app already made. Review your recent posts and report any unauthorised content to TikTok.