A vulnerability in the TikTok app for Android could have let attackers take over any account that clicked on a malicious link, potentially affecting hundreds of millions of users of the platform.
Details of the one-click exploit were revealed today in a blog post from researchers on Microsoft’s 365 Defender Research Team. The vulnerability was disclosed to TikTok by Microsoft, and has since been patched.
The bug and its resulting attack, labelled a “high severity vulnerability,” could have been used to hijack the account of any TikTok user on Android without their knowledge, once they clicked on a specially crafted link. After the link was clicked, the attacker would have access to all primary functions of the account, including the ability to upload and post videos, send messages to other users, and view private videos stored in the account.
The potential impact was huge, as it affected all global variants of the Android TikTok app, which has a total of more than 1.5 billion downloads on the Google Play Store. However, there’s no evidence it was exploited by bad actors,” said TikTok spokesperson Maureen Shanahan. “Researchers involved with the discovery and disclosure praised TikTok for a quick response.”
Microsoft confirmed that TikTok responded promptly to the report. “We gave them information about the vulnerability and collaborated to help fix this issue” Tanmay Ganacharya, partner director for security research at Microsoft Defender for Endpoint, told The Verge. “TikTok responded quickly, and we commend the the efficient and professional resolution from the security team.”
According to details published in the blog post, the vulnerability affected the deep link functionality of the Android app. This deep link handling tells the operating system to let certain apps process links in a specific way, such as opening the Twitter app to follow a user after clicking an HTML “Follow this account” button embedded in a webpage.
This link handling also includes a verification process that should restrict the actions performed when an application loads a given link. But the researchers found a way to bypass this verification process and execute a number of potentially weaponizable functions within the app.
One of these functions let them retrieve an authentication token tied to a certain user account, effectively granting account access without the need to enter a password. In a proof-of-concept attack, the researchers crafted a malicious link that, when clicked, changed a TikTok account’s bio to read “SECURITY BREACH.”
:format(webp):no_upscale()/cdn.vox-cdn.com/uploads/chorus_asset/file/23983640/Screen_Shot_2022_08_30_at_6.38.37_PM.png)
Fortunately, the vulnerability was detected, and Microsoft has used the opportunity to stress the importance of collaboration and coordination between technology platforms and vendors.
“As threats across platforms continue to grow in numbers and sophistication, vulnerability disclosures, coordinated response, and other forms of threat intelligence sharing are needed to help secure users’ computing experience, regardless of the platform or device in use,” wrote Microsoft’s Dimitrios Valsamaras in the blog post. “We will continue to work with the larger security community to share research and intelligence about threats in the effort to build better protection for all.”
Although the TikTok app is not known to have suffered any major hacks so far, some critics have branded it a security risk for other reasons.
Recently, concerns have been raised over the extent to which US users’ data can be accessed by China-based engineers at ByteDance, TikTok’s parent company. In July, Senate Intelligence Committee leaders called on FTC chair Lina Khan to investigate TikTok after reports brought into question claims that US users’ data was walled off from the Chinese branch of the company.
Correction and update: This story has been updated with a statement from TikTok. A previously version of this article said that TikTok failed to respond by publication time. In fact, The Verge received their comment but failed to include it. We regret the error.
