Microsoft recently discovered a one-click exploit (which is now patched) in the TikTok Android app. According to the company, the “high severity vulnerability” enabled hackers to take over accounts with just a click on a malicious link by the victims.
One-Click Vulnerability in TikTok Android App
Dimitrios Valsamaras, from the Microsoft 365 Defender Research Team, noted in a write-up, “Attackers could have leveraged the vulnerability to hijack an account without users’ awareness if a targeted user simply clicked a specially crafted link.”
Therefore, malicious actors could have utilized the one-click exploit to access users’ profiles and sensitive data on TikTok. In addition, the hackers could have used the flaw to modify TikTok profiles, gained unauthorized access to private videos, and could have even been able to send messages and upload videos on the victims’ behalf.
Furthermore, Microsoft uncovered the issue in version 23.7.3 of TikTok, which affected two types of its Android apps – com.ss.android.ugc.trill (used in East and Southeast Asia) and com.zhiliaoapp.musically (used in other countries except for India, where TikTok’s banned). Additionally, combined, both types have over 1.5 billion installations between them.
Hence, thanks to Microsoft, who discovered the flaw at the earliest and informed TikTok of the problem. As a result, the social media platform promptly issued a patch for the vulnerability, preventing any harm to more than a million users’ sensitive data on the app.
More Details About the Security Flaw
Microsoft tracked the vulnerability as CVE-2022-28799 with a CVSS (Common Vulnerability Scoring System) score of 8.8. In addition, the tech company explained that it’s related to the TikTok app’s handling of deeplink. Deeplink is a special hyperlink that permits apps to open a specific resource within another app installed on the device instead of directing users to a website.
In addition, the one-click exploit enabled hackers to get around the app’s restriction that rejects untrusted hosts. Thus, attackers could load any website of their choice via the Android System WebView. WebView is a system that displays web content on other apps.
Hence, data thieves could have used this sophisticated security vulnerability to access user accounts without much effort. Thankfully, TikTok issued an immediate patch, saving more than millions of users using the TikTok Android app from becoming victims.