A ‘high severity’ TikTok vulnerability allowed one-click account hijacking

A vulnerability within the TikTok app for Android may have let attackers take over any account that clicked on a malicious hyperlink, doubtlessly affecting tons of of thousands and thousands of customers of the platform.

Details of the one-click exploit have been revealed in the present day in a blog post from researchers on Microsoft’s 365 Defender Research Team. The vulnerability was disclosed to TikTok by Microsoft, and has since been patched.

The bug and its ensuing assault, labelled a “high severity vulnerability,” may have been used to hijack the account of any TikTok person on Android with out their data, as soon as they clicked on a specifically crafted hyperlink. After the hyperlink was clicked, the attacker would have entry to all major capabilities of the account, together with the flexibility to add and submit movies, ship messages to different customers, and examine personal movies saved within the account.

The potential impression was enormous, because it affected all world variants of the Android TikTok app, which has a complete of greater than 1.5 billion downloads on the Google Play Store. However, there’s no proof it was exploited at scale. Researchers concerned with the invention and disclosure praised TikTok for a fast response.

“We gave them information about the vulnerability and collaborated to help fix this issue” Tanmay Ganacharya, companion director for safety analysis at Microsoft Defender for Endpoint, instructed The Verge. “TikTok responded quickly, and we commend the the efficient and professional resolution from the security team.”

According to particulars revealed within the weblog submit, the vulnerability affected the deep link performance of the Android app. This deep hyperlink dealing with tells the working system to let sure apps course of hyperlinks in a selected method, akin to opening the Twitter app to comply with a person after clicking an HTML “Follow this account” button embedded in a webpage.

This hyperlink dealing with additionally features a verification course of that ought to limit the actions carried out when an software masses a given hyperlink. But the researchers discovered a method to bypass this verification course of and execute various doubtlessly weaponizable capabilities inside the app.

One of those capabilities allow them to retrieve an authentication token tied to a sure person account, successfully granting account entry with out the necessity to enter a password. In a proof-of-concept assault, the researchers crafted a malicious hyperlink that, when clicked, modified a TikTok account’s bio to learn “SECURITY BREACH.”

Fortunately, the vulnerability was detected, and Microsoft has used the chance to emphasize the significance of collaboration and coordination between expertise platforms and distributors.

“As threats across platforms continue to grow in numbers and sophistication, vulnerability disclosures, coordinated response, and other forms of threat intelligence sharing are needed to help secure users’ computing experience, regardless of the platform or device in use,” wrote Microsoft’s Dimitrios Valsamaras within the weblog submit. “We will continue to work with the larger security community to share research and intelligence about threats in the effort to build better protection for all.”

Although the TikTok app just isn’t identified to have suffered any main hacks to date, some critics have branded it a safety danger for different causes.

Recently, considerations have been raised over the extent to which US customers’ knowledge could be accessed by China-based engineers at ByteDance, TikTok’s mother or father firm. In July, Senate Intelligence Committee leaders known as on FTC chair Lina Khan to analyze TikTok after experiences introduced into query claims that US customers’ knowledge was walled off from the Chinese department of the corporate.

TikTok had not responded to questions from The Verge by time of publication.