A high-severity flaw in the Android version of the TikTok app — which has been installed more than 1.5 billion times so far via the Google Play Store — could allow threat actors to hijack a user's account with a single click.
Microsoft discovered the high-severity vulnerability in the handling of one of TikTok for Android's deeplinks, a particular type of hyperlink in Android that links to a specific component within an app. To exploit it, cybercriminals could craft a malicious link that, if clicked, would allow full account access.
Tracked as CVE-2022-28799, the flaw could allow attackers to modify users' TikTok profiles and access sensitive information, "such as by publicizing private videos, sending messages, and uploading videos on behalf of users," according to a Microsoft Security blog post published Wednesday.
In all, an exploit exposes 70 methods for an attacker to modify users' TikTok profiles and access sensitive information without users' awareness, he said.
"Attackers can use the vulnerability to redirect URLs to various components of the application via a query parameter to trigger the deeplink and call nonexported activities, expanding the attack surface of the application," according to the post.
Proof-of-Concept TikTok Attack
In a proof-of-concept (PoC) exploit, Microsoft researchers were able to force the application to load an arbitrary URL (https://www.tiktok[.]com, in this case) to the application's WebView, they said.
It added, "In short, by controlling any of the methods able to perform authenticated HTTP requests, a malicious actor could have compromised a TikTok user account."
Patch the TikTok App Now
Microsoft notified TikTok about the flaw, according to its responsible disclosure practices. TikTok responded by rapidly issuing a fix to both versions of the Android app it offers — one for East Asia and Southeast Asia and the other for all remaining countries — which both were affected. Users should update their apps to the latest version to protect themselves.
The quick response is notable, given the myriad privacy and security issues that have plagued TikTok in the past. However, it has been cleaning up its act in recent years, starting with its introduction of a bug-bounty program through HackerOne in 2020.
In February, the company's global chief security officer Roland Cloutier told Dark Reading that TikTok has committed to building a culture of security and transparency going forward, given its access to sensitive data and content for billions of organizations and individuals.