Microsoft discovered a vulnerability in the TikTok Android app

The TikTok Android app had a serious security issue, and Microsoft reported it. The company recently detailed the findings for the cybersecurity community, indicating that the high-severity vulnerability could have allowed attackers to compromise accounts with a single click. TikTok was also notified of the issue by Microsoft, and it has since been fixed.

This specific vulnerability impacted TikTok on Android version 23.7.3 and below, required a string of issues to be exploited, and has not been used in the wild, according to Microsoft. This means that no one is likely to have been affected. There are actually two versions of TikTok on Android, one for East and Southeast Asia, and another for the rest of the world. Microsoft performed a vulnerability assessment and found that both were impacted, meaning the vulnerability affected a total of 1.5 billion installs.

With the vulnerability, however, hackers could have hijacked an Android-based TikTok account without the user knowing just whether they clicked on a single link. The attacker could have accessed the compromised TikTok profile, allowing him to view private videos, send messages or download videos.

So what are the specifics of how this vulnerability could have been used by an attacker? Well, according to Microsoft, the TikTok Android app has bypassed the app’s deep link check. An attacker could have forced the application to load a URL into the application’s WebView. This would then have allowed the page at that URL to access WebView’s JavaScript bridges to give a hacker more functionality and 70 ways to quickly access a user’s information. The attacker could also have retrieved the user’s authentication tokens by triggering a request to a controlled server and saving the cookie and request headers.

Microsoft has written about this JavaScript bridges issue in the past, and a CVE entry is available for more details on this TikTok vulnerability. The company reported the issue via Coordinated Vulnerability Disclosure (CVD) via Microsoft Security Vulnerability Research (MSVR) in February 2022, and it was patched by TikTok a month after the disclosure. Microsoft argues that this situation is one that shows just how important it is to coordinate research and threat intelligence across the tech industry.

Source: Microsoft

Comments are closed.