Microsoft Reveals an Account Takeover Vulnerability in TikTok

Total times read this article : 7

Microsoft has revealed a vulnerability in TikTok’s mobile apps for Android that hackers could have exploited to gain control over someone’s account with naught but a single click.

“Attackers could have leveraged the vulnerability to hijack an account without users’ awareness if a targeted user simply clicked a specially crafted link,” Microsoft says(Opens in a new window). “Attackers could have then accessed and modified users’ TikTok profiles and sensitive information, such as by publicizing private videos, sending messages, and uploading videos on behalf of users.”

The flaw is said to have been present in both versions of TikTok’s app for Android—one for East and Southeast Asia and one for everywhere else—before it was disclosed in February. Microsoft says these apps have more than 1.5 billion downloads combined.

“The TikTok application before 23.7.3 for Android allows account takeover,” TikTok says in the Mitre database entry for CVE-2022-28799(Opens in a new window). “A crafted URL (unvalidated deeplink) can force the com.zhiliaoapp.musically WebView to load an arbitrary website. This may allow an attacker to leverage an attached JavaScript interface for the takeover with one click.”

Microsoft says the vulnerability “has been fixed and we did not locate any evidence of in-the-wild exploitation.” The company advises TikTok for Android users to make sure they’re using the most recent version of the app. (Especially since hackers are more likely to attempt to exploit the security flaw now that it’s been publicized with several proofs of concept from Microsoft itself.)

Recommended by Our Editors

TikTok released version 23.7.3 for Android on March 22, according to Softpedia(Opens in a new window), so users with automatic updates enabled should already have a newer version of the app installed. Additional information about the vulnerability and how it can be exploited in affected versions of the software is available via Microsoft’s blog post as well as HackerOne(Opens in a new window) and GitHub(Opens in a new window).

SecurityWatch newsletter for our top privacy and security stories delivered right to your inbox.”,”first_published_at”:”2021-09-30T21:22:09.000000Z”,”published_at”:”2022-03-24T14:57:33.000000Z”,”last_published_at”:”2022-03-24T14:57:28.000000Z”,”created_at”:null,”updated_at”:”2022-03-24T14:57:33.000000Z”})” x-show=”showEmailSignUp()” class=”rounded bg-gray-lightest text-center md:px-32 md:py-8 p-4 mt-8 container-xs” readability=”31.423799582463″>

Like What You’re Reading?

Sign up for SecurityWatch newsletter for our top privacy and security stories delivered right to your inbox.

This newsletter may contain advertising, deals, or affiliate links. Subscribing to a newsletter indicates your consent to our Terms of Use and Privacy Policy. You may unsubscribe from the newsletters at any time.

Facebook Comments Box

Hits: 0

RELATED ARTICLESMORE FROM AUTHOR