There was an exploitation available in the Android version of TikTok that would have allowed hackers to effectively take and shut down a user’s account with one click. This bug was present in just the Android version of the app. Luckily, the issue was found and reported by Microsoft before they found evidence of this major security flaw being used with malicious intent.
TikTok is a wildly popular app. It has been downloaded more than 1.5 billion times from the Google Play Store. That is 1.5 billion people who had data at risk. We do not know the duration of the vulnerability, but Microsoft reports that TikTok security was notified in February 2022.
However, it is rare that an app can be exploited so completely and quickly, through a one-click link. It required the coordination of several factors. Firstly, a hacker could have enacted loading a random URL address, which could have then hijacked the use of JavaScript to view the webpage within the app, giving access to the attackers. Microsoft has previously researched the implications of JavaScript and the digital alleyways ransomware could use for backdoor access. As such, this oversight could have resulted in disaster: it is due to luck and a team’s hard work that TikTok is not responsible for a data breach.
The Microsoft report linked earlier provides a wealth of information on how this would be done in the code. It is a great resource if you’re curious.
In short, an attacker could have started a chain of reactions within functionalities of the app to retrieve an authentication token, then allowing the attacker access to the user profile without needing a password. From there, they have access to everything stored in the account, such as private videos, likes, and followers. It would also include any drafted videos and private messages between users. It would grant an audience with that user’s followers.
It could have been bad and demonstrates the importance proactive cybersecurity care in companies, as well as a warning against poor Internet safety practices. This intrusion required a user to click on a link. It can never be stated enough—don’t trust random links.
Read more:
A ‘high severity’ TikTok vulnerability allowed one-click account hijacking – The Verge
Microsoft found TikTok Android flaw that let hackers hijack accounts (bleepingcomputer.com)