‘High Severity’ TikTok Vulnerability Allowed One-Click Account Takeover

A vulnerability in the TikTok app for Android could have allowed attackers to take control of any account that clicked on a malicious link, potentially affecting hundreds of millions of platform users.

The details of the one-click exploit were revealed today in a blog post researchers from the Microsoft 365 Defender Research Team. The vulnerability was disclosed to TikTok by Microsoft and has since been patched.

The bug and resulting attack, labeled a “high vulnerability”, could have been used to hijack any TikTok user’s account on Android without their knowledge, once they clicked on a link specially designed. Once the link is clicked, the attacker would have access to all major account functions, including the ability to upload and post videos, send messages to other users, and view private videos stored in the account.

The potential impact was huge, as it affected all global variants of the TikTok Android app, which has over 1.5 billion downloads on the Google Play Store. However, there is no evidence that it was exploited by bad actors,” TikTok spokesperson Maureen Shanahan said. “Researchers involved in the discovery and disclosure commended TikTok for a quick response.”

Microsoft confirmed that TikTok responded quickly to the report. “We gave them information about the vulnerability and worked together to help resolve this issue,” said Tanmay Ganacharya, Partner Director for Security Research at Microsoft Defender for Endpoint. The edge. “TikTok responded quickly, and we salute the efficient and professional resolution of the security team.”

According to the details published in the blog post, the vulnerability affected the deep link android app functionality. This deep link handling instructs the operating system to let certain applications handle links in a specific way, such as opening the Twitter application to follow a user after clicking an HTML “Follow this account” button embedded in a page. website.

This link management also includes a verification process that must limit the actions performed when an application loads a given link. But the researchers found a way to bypass this verification process and perform a number of potentially weaponizable functions within the app.

One of these functions allows them to retrieve an authentication token linked to a certain user account, thus granting access to the account without having to enter a password. In a proof-of-concept attack, researchers created a malicious link that, when clicked, changed a TikTok account’s bio to read “SECURITY BREACH”.

A screenshot of a compromised account.

Fortunately, the vulnerability was detected and Microsoft took the opportunity to emphasize the importance of collaboration and coordination between technology platforms and vendors.

“As platform threats continue to grow in number and sophistication, vulnerability disclosures, a coordinated response, and other forms of threat intelligence sharing are needed to help secure the computing experience of users, regardless of platform or device,” Microsoft’s Dimitrios Valsamaras wrote. in the blog post. “We will continue to work with the broader security community to share research and threat intelligence with the goal of creating better protection for all.”

Although the TikTok app is not known to have suffered any major hacks so far, some critics have called it a security risk for other reasons.

Recently, concerns have been raised about the extent to which US user data can be accessed by China-based engineers at ByteDance, TikTok’s parent company. In July, leaders of the Senate Intelligence Committee called on FTC Chairwoman Lina Khan to investigate TikTok after reports questioned claims that US user data was isolated from the company’s China branch.

Correction and update: This story has been updated with a statement from TikTok. A previous version of this article stated that TikTok had not responded at the time of publication. In fact, The Verge received their comment but did not include it. We regret the error.

Leave a Comment