Microsoft found a serious one-click exploit in TikTok’s Android app

A serious vulnerability found by Microsoft in the TikTok Android app could have allowed hackers to hijack millions of accounts. On Wednesday, the company detailed a one-click exploit it reported to TikTok in February. The good news is that the social media company quickly patched the vulnerability ahead of today’s disclosure, and Microsoft says it has no evidence of anyone using it in the wild.

“We gave them information about the vulnerability and collaborated to help fix this issue,” said Microsoft’s Tanmay Ganacharya. . “TikTok responded quickly and we commend the efficient and professional resolution of the security team.”

According to Microsoft, the vulnerability involved an oversight with TikTok’s deep linking functionality. On Android, developers can program their apps to handle certain URLs in specific ways. For example, when you tap on a Twitter embed in Chrome and the Twitter app automatically opens on your phone as a result, that’s an example of the deep linking feature working as intended.

However, Microsoft found a way to bypass the verification process that TikTok had in place to restrict deep links from executing certain actions. They then discovered that they could use that vulnerability to access all of an account’s core features, including the ability to post content and send messages to other TikTok users. The flaw was present in both global versions of the TikTok Android app. The two releases have more than 1.5 billion downloads between them, meaning the potential impact of someone discovering the vulnerability before it’s fixed could have been huge.

Microsoft recommends all TikTok users on Android to download the latest version of the app as soon as possible. More generally, you can protect yourself from similar exploits in the future by not clicking on incomplete links. It’s also a good practice to avoid downloading apps, since you don’t know how someone could have tampered with the APK.

Be the first to comment

Leave a Reply

Your email address will not be published.