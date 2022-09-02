Vulnerability in TikTok app could have allowed accounts to be hijacked

Microsoft found no indication of the vulnerability.

Flaw is reported to have been present in all versions of the app.

The problem stemmed from the app’s implementation of JavaScript interfaces.

According to Microsoft, a high-severity vulnerability in the TikTok Android application might have allowed accounts to be hijacked “with a single click.”

In a paper(opens in new tab) published on the Microsoft Security blog, the company claimed that a chain of problems could have been exploited to create a scenario in which an account might be compromised with a single click on a carefully crafted link.

“Attackers could have accessed and modified users’ TikTok profiles and sensitive information, such as by publicizing private videos, sending messages, and uploading videos on behalf of users,” Microsoft added.

The flaw is reported to have been present in all versions of the TikTok Android client, which have been downloaded more than 1.5 billion times.

The problem stemmed from the app’s implementation of JavaScript interfaces, which are widely utilised across TikTok for Android. The study delves into the technical details, but in essence, Microsoft was able to demonstrate an account compromise by attacking the app’s handling of JavaScript APIs in conjunction with the way Android routes URLs.

Fortunately, the researchers found no indication of the vulnerability being exploited in the wild, and the issue was corrected quickly after it was published in February. According to Microsoft, the TikTok security team should be applauded for its quick and efficient response.

“This case displays how the ability to coordinate research and threat intelligence sharing via expert, cross-industry collaboration is necessary to effectively mitigate issues,” Dimitrios Valsamaras of the Microsoft 365 Defender Research Team explained.

