Patched TikTok security flaw allowed one-click account takeovers

A TikTok vulnerability could have allowed hackers to hijack user accounts on the short-form video app with one click, researchers at Microsoft said Wednesday.

The vulnerability, which is identified as CVE-2022-28799, affected versions of TikTok’s Android app, which have over 1.5 billion installations combined. In an extensive write-up, Microsoft’s 365 Defender Research Team said it contacted TikTok about the bug in February, and the company quickly released a fix for the vulnerability.

“We commend the efficient and professional resolution from the TikTok security team,” the researchers said. “TikTok users are encouraged to ensure they’re using the latest version of the app.”

The bug involved the way TikTok programmed what’s known as deeplinking — an Android feature that lets apps handle certain links in specific ways. Deeplinking is benignly used when, for example, the Reddit app automatically opens on a phone after the user clicks on an embed button in Chrome.

According to Microsoft, the vulnerability allowed TikTok’s deeplink verification process to be bypassed. “Attackers could force the app to load an arbitrary URL to the app’s WebView, allowing the URL to then access the WebView’s attached JavaScript bridges and grant functionality to attackers,” the researchers wrote.

The result is that an attacker could use the vulnerability to upload videos and send messages on behalf of users, as well as access sensitive information such as private videos.

Although the vulnerability was not particularly straightforward — it would require attackers to string together several exploits — the delivery was simple. In a proof of concept shared by the company, the researchers crafted a malicious link that, when clicked, changed a TikTok account’s profile to read “!! SECURITY BREACH !!”

Microsoft said that it did not find any evidence that the bug had been exploited in the wild. A TikTok spokesperson, in comments to The Record, emphasized this point and highlighted the company's bug bounty program, which has been run through HackerOne since October 2020.

"Through our partnership with security researchers at Microsoft, we discovered and quickly fixed a vulnerability in some older versions of the Android app. We appreciate the Microsoft researchers for their efforts to help identify potential issues so we can resolve them," the spokesperson said.

The company over the last several years has fended off criticism from lawmakers and government officials that it poses a security risk because of the data it collects and its ties to China. Last February, researchers at cybersecurity firm Check Point said a vulnerability left users' private information exposed. The same company in 2020 discovered bugs that would have allowed hackers to take over accounts by messaging users with malicious links.