There was an exploitation available in the Android version of TikTok that would have allowed hackers to effectively take and shut down a user’s account with one click. This bug was present in just the Android version of the app. Luckily, the issue was found and reported by Microsoft before they found evidence of this major security flaw being used with malicious intent.
TikTok is a wildly popular app. It has been downloaded more than 1.5 billion times from the Google Play Store. That is 1.5 billion people who had data at risk. We do not know the duration of the vulnerability, but Microsoft reports that TikTok security was notified in February 2022.
The Microsoft report linked earlier provides a wealth of information on how this would be done in the code. It is a great resource if you’re curious.
In short, an attacker could have started a chain of reactions within functionalities of the app to retrieve an authentication token, then allowing the attacker access to the user profile without needing a password. From there, they have access to everything stored in the account, such as private videos, likes, and followers. It would also include any drafted videos and private messages between users. It would grant an audience with that user’s followers.
It could have been bad and demonstrates the importance proactive cybersecurity care in companies, as well as a warning against poor Internet safety practices. This intrusion required a user to click on a link. It can never be stated enough—don’t trust random links.