Let’s be reassured right away, this vulnerability was discovered by Microsoft, and since patched by TikTok.
Fortunately, it seems that this flaw had little chance of being exploited. Otherwise, nearly 1.5 billion users of the social network could have been impacted.
Better that this flaw has never led to hacks
Microsoft security and vulnerability research teams have made a discovery that could have impacted both versions of TikTok, one dedicated to East and Southeast Asia, and the other to the rest of the world. world. Indeed, the famous social network would have been plagued by an increased risk of account hacking in version 23.7.3 of the Android application, as well as previous versions of the app. The Redmond firm made this discovery in March 2022 and immediately informed the parent company ByteDance. The reaction was quick and the security flaw was patched immediately.
In fact, still according to Microsoft, a simple click on a fraudulent link and the holder as the holder of a TikTok account would have risked hacking in less than two. A technique that is similar to phishing, but which, according to researchers from the company founded by Bill Gates, has not had time to be exploited by web hackers. Enough to simply act as an archive as it is, even if the consequences would have been numerous if hackers had been able to break into this flaw.
Indeed, the hackers would have had full access to the content of the targeted accounts, whether it be personal data recorded or videos published. And as for the possible uses, we let your imagination run wild, but again, nothing very desirable at the end of the day.
A patch was quickly deployed by Tiktok on the Android versions concerned
The hackers in question were also able to force the app to load a fraudulent URL through the WebView component. This would have allowed hackers easier access to JavaScript bridges, still in WebView, as well as various features and nearly 70 ways, according to Microsoft, to access information from the same TikTok account.
Authentication tokens of an account holder could also have been retrieved by the deep link employed under the affected Android versions, once the unfortunate victim clicked on it. Similarly, an HTTP request to a server controlled by the hacker and the reuse of cookies and headers would have made the hack possible. In any case, if you have an unupdated version of TikTok on one of the affected Android versions, do not wait any longer to upgrade it.
Source : XDA Developers
1