STK051 VRG Illo N Barclay 7 tiktok

‘High Severity’ TikTok Vulnerability Allows One Click Account Hijacking

A vulnerability in the TikTok app for Android could allow an attacker to take over any account that clicks on a malicious link, potentially affecting hundreds of millions of users on the platform.

Details of the one-click exploit were revealed today in a blog post by researchers from Microsoft’s 365 Defender research team. Microsoft disclosed the vulnerability to TikTok and it has since been patched.

The bug and the resulting attack, labeled a “high severity vulnerability,” could be used to hijack any TikTok user’s account on Android without their knowledge, after they click on a specially crafted link. After clicking the link, the attacker has access to all basic functions of the account, including uploading and posting videos, sending messages to other users, and viewing private videos stored on the account.

The potential impact is huge as it affects all global variants of the Android TikTok app, which has a total of over 1.5 billion downloads on the Google Play Store. However, there is no evidence that it has been exploited on a scale. Researchers involved in the discovery and disclosure praised TikTok for its quick response.

“We provided them with information about the vulnerability and collaborated to help resolve this issue,” said Tanmay Ganacharya, director of security research partner at Microsoft Defender for Endpoint. to the edge. “TikTok responded quickly and we appreciate the efficient and professional solution from the security team.”

According to details published in a blog post, the vulnerability affected the Android app’s deep link functionality. This deep link handling tells the operating system to allow certain apps to process links in a certain way, such as opening the Twitter app to follow a user after clicking the HTML “Follow this account” button embedded in a webpage.

This link handling also includes a validation process that limits the actions an application can take when a given link is loaded. But researchers have found a way to bypass this verification process and implement several functions that can be weaponized within the app.

One of these functions enables the retrieval of an authentication token associated with a particular user account, effectively granting account access without the need to enter a password. In a proof-of-concept attack, the researchers created a malicious link that, when clicked, changed the TikTok account bio to read “security breach”.

High Severity TikTok Vulnerability Allows One Click Account Hijacking

A screenshot of the compromised account.
Microsoft

Fortunately, the vulnerability was discovered and Microsoft took the opportunity to emphasize the importance of collaboration and coordination between technology platforms and vendors.

“As threats continue to grow in numbers and sophistication across platforms, vulnerability disclosure, coordinated response and other forms of threat intelligence sharing are essential to help keep users’ computing experiences secure,” wrote Microsoft’s Dimitrios Valsamaras. In a blog post. “We will continue to work with the larger security community to share research and intelligence about threats in an effort to build better defenses for all.”

While the TikTok app is not known to have faced major hacks so far, some critics have cited it as a security risk for other reasons.

Recently, concerns have been raised about the extent to which Chinese engineers at ByteDance, TikTok’s parent company, may have access to US user data. In July, Senate Intelligence Committee leaders called on FTC Chair Lena Khan to investigate TikTok after questioning reports that US consumer data had been walled off from the company’s China branch.

TikTok did not respond to questions to the edge By the time of publication.

Leave a Comment

Your email address will not be published.