Microsoft found and reported a high severity flaw in the TikTok Android app in February that allowed attackers to “quickly and quietly” take over accounts with one click by tricking targets into clicking a specially crafted malicious link.
“Attackers could have leveraged the vulnerability to hijack an account without users’ awareness if a targeted user simply clicked a specially crafted link,” Microsoft 365 Defender Research Team’s Dimitrios Valsamaras said.
“Attackers could have then accessed and modified users’ TikTok profiles and sensitive information, such as by publicizing private videos, sending messages, and uploading videos on behalf of users.”
Using the exposed methods, threat actors could access or modify TikTok users’ private information or perform authenticated HTTP requests.
In short, attackers who would’ve managed to exploit this vulnerability successfully could’ve easily:
- retrieved the users’ authentication tokens (by triggering a request to a server under their control and logging the cookie and the request headers)
Now patched, not exploited in attacks
The security vulnerability, tracked as CVE-2022-28799, is now patched since the release of TikTok version 23.7.3, published less than a month after Microsoft’s initial disclosure.
Microsoft says it has not yet found evidence of CVE-2022-28799 being exploited in the wild.
TikTok users can defend against similar issues by not clicking links from untrusted sources, keeping their apps up to date, only installing apps from official sources, and reporting any strange app behavior as soon as possible.
Additional information on how this vulnerability could have been used in attacks for account takeover can be found in Microsoft’s report.
In November 2020, TikTok fixed vulnerabilities that enabled threat actors to quickly hijack the accounts of users who signed up via third-party apps.
The company has also addressed other security flaws that could have allowed attackers to steal users’ personal information or hijack their accounts to manipulate videos.
According to its Google Play Store entry, TikTok’s Android app has over 1 billion installs. Based on Sensor Tower Store Intelligence estimates, the mobile app has already crossed the 2 billion installs mark on all platforms since April 2020.