Microsoft has revealed details of a high severity vulnerability in the TikTok app for Android. The Microsoft 365 Defender Research Team shares news of the now-fixed security flaw which the company says could have allowed an attacker to take over a victim’s account by simply getting them to click a malicious link.
With hundreds of millions of users around the world, TikTok is one of the most popular social platforms at the moment; the potential damage from the successful exploitation of such a vulnerability is huge.
Thankfully, as Microsoft points out, there is no evidence that the vulnerability has been exploited in the wild. This is thanks in part to the fact that while the vulnerability has been assigned a high severity label, successful exploitation would require an attacker to take advantage of several security issues in succession.
In a blog post about the discovery, the company says:
Microsoft discovered a high-severity vulnerability in the TikTok Android application, which could have allowed attackers to compromise users’ accounts with a single click. The vulnerability, which would have required several issues to be chained together to exploit, has been fixed and we did not locate any evidence of in-the-wild exploitation. Attackers could have leveraged the vulnerability to hijack an account without users’ awareness if a targeted user simply clicked a specially crafted link. Attackers could have then accessed and modified users’ TikTok profiles and sensitive information, such as by publicizing private videos, sending messages, and uploading videos on behalf of users.
Microsoft goes on to explain:
The vulnerability allowed the app’s deeplink verification to be bypassed. Attackers could force the app to load an arbitrary URL to the app’s WebView, allowing the URL to then access the WebView’s attached JavaScript bridges and grant functionality to attackers.
A detailed breakdown of the way the TikTok app has implemented JavaScript interfaces, and the way in which this opened up the potential for hijacking, is explained in Microsoft’s blog post.
Image credit: rafapress / depositphotos