Microsoft discovered a critical one-click exploit in TikTok’s Android app.
TikTok, thankfully, patched the flaw.
Microsoft discovered a serious vulnerability in the TikTok Android app that could have allowed hackers to hijack millions of accounts. The company’s 365 Defender Research Team detailed a one-click exploit it informed TikTok of in February on Wednesday. The good news is that the vulnerability was quickly patched prior to today’s disclosure, and Microsoft claims it has no evidence of anyone exploiting it in the wild.
“We informed them about the vulnerability and worked together to resolve the issue,” Microsoft’s Tanmay Ganacharya told The Verge. “TikTok responded quickly, and we applaud the security team’s efficient and professional resolution.”
According to Microsoft, the flaw was caused by an oversight in TikTok’s deep linking functionality. Developers on Android can programme their apps to handle specific URLs in specific ways. When you tap on a Twitter embed in Chrome, the Twitter app automatically opens on your phone, this is an example of the deep linking feature working as intended.
However, Microsoft discovered a way to circumvent the verification process TikTok had in place to prevent deep links from performing specific actions. They then discovered that they could exploit that vulnerability to gain access to all of an account’s primary functions, including the ability to post content and message other TikTok users. The bug was present in both the global and local versions of TikTok’s Android app. The two releases have over 1.5 billion downloads combined, implying that the impact of someone discovering the vulnerability before it was patched could have been massive.
Microsoft advises all TikTok users on Android to download the most recent version of the app as soon as possible. More broadly, you can protect yourself from similar exploits in the future by not clicking on suspicious links. It’s also a good idea to avoid sideloading apps because you never know how someone might have tampered with the APK.