TikTok’s Android app had a vulnerability giving attackers undetectable access to accounts

Today, Microsoft disclosed a vulnerability in the TikTok Android app that allowed attackers to access user accounts with a single click. This follows a recent clarification from TikTok about a suspected US data breach.

The specifics of the exploit required multiple issues to be chained together to work, and the issue has already been resolved, with no evidence of exploitation in the wild. Attackers could have used it without users knowing if it had been used.

The vulnerability itself allowed attackers to bypass the app’s deep link check, causing it to load an arbitrary URL into the app’s web view, allowing it to access attached JavaScript bridges and grant functionality.

There are two different variations of the TikTok app, one for East and Southeast Asia, and another for other countries. Both were affected by this exploit and Microsoft notified TikTok in February 2022 of the issue.

TikTok released an app update in March 2022, working with Microsoft to quickly close the loophole. Fortunately, the attack was not actively exploited as it could have been used to post videos and other content on the platform undetected. Microsoft has once again reiterated that JavaScript should be avoided whenever possible, as it can prevent significant risks.

Comments are closed.