Explained: How Microsoft saved TikTok Android users from a critical vulnerability – Times of India

Cybersecurity researchers at Microsoft have discovered a critical security bug that exposed the TikTok app for Android users to hackers. The tech giant has updated its Microsoft Security blog to reveal the vulnerability and reported that this exploit (if misused) could’ve threatened the privacy of 1.5 billion users (Google Play Store data) who use TikTok on their Android devices. However, the blog mentions that the “high-severity” exploit named CVE-2022-28799 is now fixed and the Microsoft security team has found no evidence of hackers using it to break into accounts.
How this security bug exposed the TikTok Android app
Microsoft has identified that this bug was present in all versions of the TikTok Android app which was installed more than 1.5 billion times. The Android version of the TikTok app extensively uses JavaScript interfaces and the tech giant proved that these interfaces can be exploited to victimise users. By combining how Android routes URLs and exploiting the app’s handling of JavaScript interfaces, Microsoft was also able to demonstrate an account compromise.

According to the blog post, this vulnerability allowed the “app’s deep link verification to be bypassed.” This would’ve allowed the attackers to “force the app to load an arbitrary URL to the app’s WebView, allowing the URL to then access the WebView’s attached JavaScript bridges and grant functionality to attackers,” the blog added.
How this vulnerability could’ve been misused
As per the blog, if hackers decided to exploit this vulnerability, they could have accessed accounts with a single click from the users. The blog even mentions that attackers could have even distributed a compromised link through email or other online messaging services.
A single tap on these links would have victimised the users by allowing hackers to access their TikTok accounts, immediately compromising your account. Cyber attackers could have used this vulnerability to publicise private videos, send messages and upload videos on the victims’ behalf.
How TikTok reacted to this security bug
Microsoft’s 365 Defender Research Team spotted the security bug for the first time in February and reported it to TikTok for redressal. The Chinese social media company claimed to have fixed this vulnerability and believes that none of the accounts was compromised.

Moreover, even Microsoft confirmed that the vulnerability has been fixed and the company couldn’t locate “any evidence of in-the-wild exploitation,” through the blog. Furthermore, TikTok has also claimed that there was “no evidence” of the bug being exploited by cyber attackers.
How users can stay safe
The blog also suggests that most TikTok users on Android have already received the patch. However, users who are unsure of their security should update their app to the latest version. Moreover, users should also try to verify the sender before clicking on a link sent from an unknown email address or phone number.