A vulnerability in TikTok’s Android app could have allowed hackers to hijack any account that simply clicked on a malicious link.
The exploit, discovered by Microsoft’s 365 Defender Research Team, would have given an attacker the ability to send messages, upload videos, and view an account’s private videos.
The issue, labeled as a “high severity vulnerability” by Microsoft, was quickly reported to TikTok and has since been fixed.
In a blog post on the discovery, Microsoft says the bug likely affected at least 1.5 billion users across the globe, although there is no evidence it was being actively exploited.
The vulnerability stemmed from the Android app’s “deeplink” functionality, which, for example, allows the TikTok app to be automatically opened after a user clicks a TikTok link in a web browser or separate app.
Microsoft says it was able to bypass “the app’s deeplink verification,” which could allow for a malicious webpage to be loaded.
“While reviewing the app’s handling of a specific deeplink, we discovered several issues that, when chained together, could have been used to force the application to load an arbitrary URL to the application’s WebView,” the blog post says.
After carrying out a proof-of-concept attack, Microsoft’s researchers were able to change a TikTok account’s bio to read “SECURITY BREACH” after a malicious link was clicked.
In order to protect against such attacks, Microsoft urges users to avoid clicking untrusted links and to make sure they’re always running the latest version of TikTok’s app.
Microsoft also stresses the importance of collaboration across the tech industry in order to ensure that users remain protected against malicious actors.
“As threats across platforms continue to grow in numbers and sophistication, vulnerability disclosures, coordinated response, and other forms of threat intelligence sharing are needed to help secure users’ computing experience, regardless of the platform or device in use,” the blog adds. “We will continue to work with the larger security community to share research and intelligence about threats in the effort to build better protection for all.”
Sign up to receive the Daily Dot’s Internet Insider newsletter for urgent news from the frontline of online.
Source: https://www.dailydot.com/debug/tiktok-one-click-vulnerability-android-app/