The business revealed that a series of problems might have been exploited to create a scenario where an account could have been compromised with just one click on a specially crafted link in a paper(opens in new tab) posted to the Microsoft Security blog.
According to Microsoft, a high-severity flaw in the TikTok Android app could have made it possible for accounts to be taken over “with a single click.”
Highlights
-
TikTok security bug
-
“Attackers could have then accessed and modified users’ TikTok profiles and sensitive information, such as by publicizing private videos, sending messages, and uploading videos on behalf of users,” explained Microsoft.
The problem stemmed from the app’s use of JavaScript interfaces, which are prevalent across TikTok for Android. The study delves into the technical details, but in short, Microsoft was able to show an account compromise by taking advantage of the way the app handled JavaScript APIs in conjunction with the way Android routed URLs.
All versions of the TikTok Android app, which have been downloaded more than 1.5 billion times overall, allegedly have the aforementioned vulnerability.
Fortunately, the researchers did not find any evidence that the vulnerability had been used in the wild; the problem was quickly fixed once it was made public back in February. Microsoft believes that the TikTok security team deserves praise for how quickly and effectively it responded to the situation.
“This case displays how the ability to coordinate research and threat intelligence sharing via expert, cross-industry collaboration is necessary to effectively mitigate issues,” said Dimitrios Valsamaras, of the Microsoft 365 Defender Research Team.
“As threats across platforms continue to grow in numbers and sophistication, vulnerability disclosures, coordinated response, and other forms of threat intelligence sharing are needed to help secure users’ computing experience, regardless of the platform or device in use.” Although the bulk of TikTok users will already have access to the patch, worried users can make sure they are secured by updating their app to the most recent version.