The TikTok Android app harbored a critical flaw that criminals could have exploited to hijack user accounts, Microsoft researchers have discovered.
The vulnerability involved using a crafted URL to bypass the app’s deeplink verification mechanism and force the app’s WebView component to load an arbitrary URL.
Despite the vulnerability’s tremendous destructive potential, Microsoft has no evidence that criminals have actually used it to carry out any attacks.
“The vulnerability, which would have required several issues to be chained together to exploit, has been fixed and we did not locate any evidence of in-the-wild exploitation,” reads Microsoft’s security advisory. “Attackers could have leveraged the vulnerability to hijack an account without users’ awareness if a targeted user simply clicked a specially crafted link. Attackers could have then accessed and modified users’ TikTok profiles and sensitive information, such as by publicizing private videos, sending messages, and uploading videos on behalf of users.”
Malicious actors could have used the disclosed deeplink verification bypass vulnerability in conjunction with an HTTP request authentication method to compromise TikTok accounts.
Experts determined that the vulnerability affected both TikTok versions: the East and Southeast Asia release (com.ss.android.ugc.trill) and the global one (com.zhilliaoap.musically). On Google’s Play Store alone, the apps have a combined 1.5 billion installations.
TikTok was informed of the flaw in February 2022, and quickly released a fix. Microsoft issued a brief list of recommendations to stay safe against this attack and similar ones:
- Avoiding installing apps from unknown sources
- Keeping the device and installed apps up to date
- Avoiding clicking links from untrusted sources
- Reporting any suspicious activity on the app to the vendor
Specialized solutions like Bitdefender Mobile Security can help you fend off new and existing security threats with features like:
- Malware scanner
- Web protection module that scans webpages and warns you of potentially dangerous content
- Link-based attack detection
- Security advisor
- Account privacy module that checks if your accounts have been compromised in data breaches
- Device scanner that automatically inspects newly installed apps