A high-severity vulnerability in the TikTok Android application could have allowed accounts to be hijacked “with a single click”, Microsoft has revealed.
In a paper (opens in new tab) published to the Microsoft Security blog, the company reported that a chain of issues could have been abused to create a scenario whereby an account could be compromised with a single press of a specially crafted link.
“Attackers could have then accessed and modified users’ TikTok profiles and sensitive information, such as by publicizing private videos, sending messages, and uploading videos on behalf of users,” explained Microsoft.
TikTok security bug
The vulnerability in question is said to have been present in all versions of the TikTok Android client, which have collectively been installed more than 1.5 billion times.
The issue revolved around the app’s implementation of JavaScript interfaces, which are used extensively across TikTok for Android. The report dives into the technical nitty gritty but, in essence, by exploiting the app’s handling of JavaScript interfaces, in combination with the way Android routes URLs, Microsoft was able to demonstrate an account compromise.
Mercifully, the researchers did not discover any evidence the vulnerability was exploited in the wild – and the issue was patched shortly after the issue was disclosed back in February. According to Microsoft, the TikTok security team should be commended for the swiftness and efficiency of its response.
“This case displays how the ability to coordinate research and threat intelligence sharing via expert, cross-industry collaboration is necessary to effectively mitigate issues,” said Dimitrios Valsamaras, of the Microsoft 365 Defender Research Team.
“As threats across platforms continue to grow in numbers and sophistication, vulnerability disclosures, coordinated response, and other forms of threat intelligence sharing are needed to help secure users’ computing experience, regardless of the platform or device in use.”
Although the patch will already have made its way to the majority of TikTok-ers, concerned users can guarantee they are protected by updating their app to the latest version.
English
Arabic
Belarusian
Bengali
Bosnian
Bulgarian
Chinese (Simplified)
Croatian
Czech
Danish
Dutch
Estonian
Filipino
Finnish
French
Georgian
German
Greek
Gujarati
Hausa
Hebrew
Hindi
Hmong
Hungarian
Igbo
Indonesian
Italian
Japanese
Javanese
Kazakh
Korean
Kurdish (Kurmanji)
Kyrgyz
Lao
Latvian
Lithuanian
Macedonian
Malagasy
Norwegian
Persian
Polish
Portuguese
Punjabi
Romanian
Russian
Serbian
Slovak
Slovenian
Spanish
Swedish
Thai
Turkish
Ukrainian
Vietnamese
Yoruba