Microsoft Spies A One-Click Account Hijacking Exploit In TikTok's Android App
A new report by Microsoft details a vulnerability in the TikTok Android app that threat actors could have exploited to hijack user accounts with a single click. The vulnerability appears in the National Vulnerability Database with the Common Vulnerabilities and Exposures (CVE) identifier CVE-2022-28799 and a high severity rating of 8.8 out of 10. The vulnerability affected both versions of the Android app, one of which is specific to East and Southeast Asia. This potentially puts over 1.5 billion users at risk of account hijacks.
Microsoft security researchers discovered and analyzed the vulnerability, then disclosed their research to TikTok in February of this year. While TikTok may have questionable user data practices, it is in the social media platform's interest to protect user accounts from unauthorized access. According to Microsoft, the social media company had a quick response time. It pushed out a fix for the vulnerability in less than a month after being notified. Microsoft waited until now to publicly disclose the vulnerability so TikTok users would have time to update the Android app. The vulnerability affected versions of the app prior to 23.7.3, while the latest version of the app, released today, is 25.9.4.
Microsoft security researchers discovered and analyzed the vulnerability, then disclosed their research to TikTok in February of this year. While TikTok may have questionable user data practices, it is in the social media platform's interest to protect user accounts from unauthorized access. According to Microsoft, the social media company had a quick response time. It pushed out a fix for the vulnerability in less than a month after being notified. Microsoft waited until now to publicly disclose the vulnerability so TikTok users would have time to update the Android app. The vulnerability affected versions of the app prior to 23.7.3, while the latest version of the app, released today, is 25.9.4.
Microsoft discovered the vulnerability in TikTok’s handling of Android deeplinks. Deeplinks are links that the operating system opens in a specific designated app, rather than a web browser, and can direct the app to perform a particular action. The researchers were able to craft a special deeplink that gave an attacker’s server full access to the TikTok app’s JavaScript bridge. The server then leverages this access to load a custom script that steals the user’s authentication tokens and changes the user’s profile biography.
The image above shows a user profile with the biography changed by this method to read “!! SECURITY BREACH !!!” However, beyond just changing the profile biography, the attacker could have used the stolen tokens to upload videos, publicize private videos, and send messages. A malicious attacker armed with this exploit could have wreaked havoc on unsuspecting users who simply opened a link. Thankfully, TikTok users don’t have to worry about this vulnerability, so long as they’ve been applying updates.
The image above shows a user profile with the biography changed by this method to read “!! SECURITY BREACH !!!” However, beyond just changing the profile biography, the attacker could have used the stolen tokens to upload videos, publicize private videos, and send messages. A malicious attacker armed with this exploit could have wreaked havoc on unsuspecting users who simply opened a link. Thankfully, TikTok users don’t have to worry about this vulnerability, so long as they’ve been applying updates.
