A high-severity vulnerability in the TikTok Android app could have allowed "one-click" account hijacking, Microsoft has revealed.
In an article (opens in a new tab) published on the Microsoft security blog, the company reported that a chain of issues could have been abused to create a scenario where an account could be compromised simply by pressing a specially designed.
"Attackers would have been able to access and modify users' TikTok profiles and sensitive information, such as posting private videos, sending messages, and uploading videos on behalf of users," Microsoft explained.
TikTok security bug
The vulnerability in question was reportedly present in all versions of the Android TikTok client, which together have been installed more than 1.500 billion times.
The issue revolved around the implementation of the app's JavaScript interfaces, which are widely used in TikTok for Android. The report dives into the technical details, but essentially by exploiting the handling of the application's JavaScript interfaces, in combination with the way Android routes URLs, Microsoft was able to demonstrate account compensation.
Fortunately, the researchers found no evidence that the vulnerability was being exploited in the wild, and the issue was fixed shortly after it was disclosed in February. According to Microsoft, the TikTok security team is commendable for its quick and efficient response.
“This case demonstrates how the ability to coordinate threat intelligence research and sharing through cross-industry expert collaboration is necessary to effectively mitigate issues,” said Dimitrios Valsamaras, Microsoft 365 Research Team Defender.
"As platform threats continue to grow in number and sophistication, vulnerability disclosures, a coordinated response, and other ways to share threat intelligence are needed to help secure the computing experience for users, regardless of platform or device. .
Although the fix has already reached the majority of TikTok users, affected users can ensure that they are protected by updating their app to the latest version.