Microsoft found and reported a serious security issue with TikTok

Microsoft found and reported a serious security issue with TikTok

The Android TikTok app had a serious security issue, and Microsoft was the one that reported it. The company recently detailed the findings for the cybersecurity community, indicating that the high-severity vulnerability could have allowed attackers to compromise accounts in a single click. TikTok was also notified of the issue by Microsoft, and it has since been patched.

This specific vulnerability impacted TikTok on Android version 23.7.3 and lower, required several issues to be chained together to exploit, and was not used in the wild, according to Microsoft. This means that no one is likely to have been affected by it. There are actually two versions of TikTok on Android, one for East and Southeast Asia, and another for the rest of the world. Microsoft performed a vulnerability assessment and found both were impacted, meaning the vulnerability hit a total of 1.5 billion installations.

XDA VIDEO OF THE DAY

With the vulnerability, though, hackers could have hijacked an Android-based TikTok account without the user knowing just if the user clicked on a single link. The attacker could have accessed the compromised TikTok profile, letting them see private videos, send messages, or upload videos.

So, what are the specifics on how this vulnerability could have been used by an attacker? Well, according to Microsoft, the TikTok Android app allowed the app’s deeplink verification to be bypassed. An attacker could have forced the app to load a URL to the app’s WebView. This would have then allowed the page in that URL to access the WebView’s JavaScript bridges to give a hacker more functionality and 70 ways to quickly access a user’s information. The attacker could have also retrieved the user’s authentication tokens by triggering a request to a controlled server and logging the cookie and the request headers.

Microsoft wrote about this very JavaScript bridges issue in the past, and a CVE entry is available for more specifics on this TikTok vulnerability. The company reported the issue through Coordinated Vulnerability Disclosure (CVD) via Microsoft Security Vulnerability Research (MSVR) in February of 2022, and it was patched by TikTok a month after the disclosure. Microsoft holds that this situation is one that shows how important it is to coordinate research and threat intelligence in the technology industry.

Source: Microsoft

About author

Arif Bacchus
Arif Bacchus

I have over six years of experience covering Microsoft, Surface, Windows, macOS, and Chrome OS news and rumors for sites like Digital Trends and OnMSFT. I also write laptop reviews and how-to guides. I am a Microsoft fan and I have a drawer full of PCs and other devices. You can follow and interact with me on Twitter if you want to chat!

We are reader supported. External links may earn us a commission.