A vulnerability in the TikTok app for Android could have allowed attackers to take over any account that clicked on a malicious link, potentially affecting hundreds of millions of users on the platform.
Details of the one-click exploit were revealed today in a blog post by researchers from Microsoft’s 365 Defender research team. The vulnerability was disclosed in TikTok by Microsoft and has since been patched.
The bug and its resulting attack, labeled a “high severity vulnerability,” could have been used to hijack any TikTok user’s account on Android without their knowledge, once they clicked on a specially crafted link. After clicking the link, the attacker would have access to all the main features of the account, including the ability to upload and post videos, send messages to other users, and view private videos stored on the account.
The potential impact was huge as it affected all global variants of the TikTok Android app, which has a total of over 1.5 billion downloads on the Google Play Store. However, there is no evidence that it has been exploited at scale. Researchers involved in the discovery and disclosure praised TikTok for a quick response.
“We gave them information about the vulnerability and worked together to fix this issue,” Tanmay Ganacharya, director of security research at Microsoft Defender for Endpoint, told The Verge. “TikTok responded quickly and we commend the security team’s efficient and professional resolution.”
According to the details published in the blog post, the vulnerability affected the deep linking functionality of the Android app. This deep link handling tells the operating system to allow certain applications to process links in a specific way, such as opening the Twitter application to follow a user after clicking the HTML “Follow this account” button embedded in a Web page.
This link handler also includes a verification process that should restrict the actions that take place when an application loads a given link. But the researchers found a way to bypass this verification process and run a number of potentially weaponized functions within the app.
One such feature allows them to retrieve an authentication token tied to a given user account, effectively granting access to the account without the need to enter a password. In a proof-of-concept attack, the researchers created a malicious link that, when clicked, changed a TikTok account’s bio to read “SECURITY BREACH.”
A screenshot of a compromised account. Microsoft
Fortunately, the vulnerability was discovered and Microsoft has taken the opportunity to highlight the importance of collaboration and coordination between technology platforms and vendors.
“As cross-platform threats continue to grow in number and sophistication, vulnerability disclosures, coordinated response and other forms of threat intelligence sharing are needed to help secure users’ computing experience, regardless of of the platform or device being used,” wrote Microsoft’s Dimitrios Valsamaras. in the blog post. “We will continue to work with the larger security community to share research and threat intelligence in an effort to create better protection for everyone.”
While the TikTok app is not known to have suffered any major hacks so far, some critics have called it a security risk for other reasons.
Recently, concerns have been raised about the extent to which engineers in China at ByteDance, TikTok’s parent company, can access US user data. In July, leaders of the Senate Intelligence Committee asked FTC Chairwoman Lina Khan to investigate TikTok after reports cast doubt on claims that US users’ data was blocked from the company’s Chinese branch.
TikTok had not responded to The Verge’s questions by the time of publication.