Dangerous vulnerability in Tiktok app for Android

Microsoft reports on its security blog this week about a “highly dangerous” vulnerability in the Tiktok app for Android. The vulnerability was discovered by the Microsoft 365 Defender Research Team and has since been closed by the app developers. According to Microsoft, it has not found any evidence that the vulnerability has been exploited.

Hijack Tiktok account with just one click

The vulnerability could have been exploited by attackers to hijack a Tiktok account without the owner noticing. The account holder simply had to click on a specially crafted link. If he fell into this trap, attackers would have been granted access to his Tiktok profile and therefore to his personal user data. With full access to the stolen Tiktok account, attackers could have published videos or sent messages on behalf of the account owner.

Vulnerability bypasses deep link verification

According to Microsoft, the vulnerability allowed hackers to bypass the deep link verification of the Tiktok app for Android. This way the app could be forced to load any URL in the app’s web view. In this way, the URL could access the connected JavaScript bridges of the WebView and make various functions accessible to attackers.

Tiktok responded immediately

According to Microsoft, Tiktok has two versions of its app – one for East and Southeast Asia and one for all other countries. The security experts found the vulnerability in both app versions. 1.5 billion users were potentially at risk. Tiktok was informed about the gap in February 2022 and immediately published a fix.

“We commend the efficient and professional solution provided by the TikTok security team. TikTok users are advised to ensure they are using the latest version of the app.”

like Microsoft.