Microsoft found a vulnerability in the TikTok Android app

XDA

Microsoft found and reported a serious security issue with TikTok

By Arif Bacchus

Published Aug 31, 2022

Microsoft reported a high-severity vulnerability in the TikTok Android app, one that could have let attackers get into accounts in one click.

The Android TikTok app had a serious security issue, and Microsoft was the one that reported it. The company recently detailed the findings for the cybersecurity community, indicating that the high-severity vulnerability could have allowed attackers to compromise accounts in a single click. TikTok was also notified of the issue by Microsoft, and it has since been patched.

This specific vulnerability impacted TikTok on Android version 23.7.3 and lower, required several issues to be chained together to exploit, and was not used in the wild, according to Microsoft. This means that no one is likely to have been affected by it. There are actually two versions of TikTok on Android, one for East and Southeast Asia, and another for the rest of the world. Microsoft performed a vulnerability assessment and found both were impacted, meaning the vulnerability hit a total of 1.5 billion installations.

With the vulnerability, though, hackers could have hijacked an Android-based TikTok account without the user knowing just if the user clicked on a single link. The attacker could have accessed the compromised TikTok profile, letting them see private videos, send messages, or upload videos.

So, what are the specifics on how this vulnerability could have been used by an attacker? Well, according to Microsoft, the TikTok Android app allowed the app's deeplink verification to be bypassed. An attacker could have forced the app to load a URL to the app's WebView. This would have then allowed the page in that URL to access the WebView's JavaScript bridges to give a hacker more functionality and 70 ways to quickly access a user's information. The attacker could have also retrieved the user's authentication tokens by triggering a request to a controlled server and logging the cookie and the request headers.

Microsoft wrote about this very JavaScript bridges issue in the past, and a CVE entry is available for more specifics on this TikTok vulnerability. The company reported the issue through Coordinated Vulnerability Disclosure (CVD) via Microsoft Security Vulnerability Research (MSVR) in February of 2022, and it was patched by TikTok a month after the disclosure. Microsoft holds that this situation is one that shows how important it is to coordinate research and threat intelligence in the technology industry.

Source: Microsoft