More than one billion TikTok users exposed to ‘one-click account hijacking’

A high-severity vulnerability in the TikTok Android application could have allowed accounts to be hijacked “with a single click”, Microsoft has revealed.

In a paper (opens in new tab) published to the Microsoft Security blog, the company reported that a chain of issues could have been abused to create a scenario whereby an account could be compromised with a single press of a specially crafted link.

“Attackers could have then accessed and modified users’ TikTok profiles and sensitive information, such as by publicizing private videos, sending messages, and uploading videos on behalf of users,” explained Microsoft.

TikTok security bug

The vulnerability in question is said to have been present in all versions of the TikTok Android client, which have collectively been installed more than 1.5 billion times.

The issue revolved around the app’s implementation of JavaScript interfaces, which are used extensively across TikTok for Android. The report dives into the technical nitty gritty but, in essence, by exploiting the app’s handling of JavaScript interfaces, in combination with the way Android routes URLs, Microsoft was able to demonstrate an account compromise.

Mercifully, the researchers did not discover any evidence the vulnerability was exploited in the wild – and the issue was patched shortly after the issue was disclosed back in February. According to Microsoft, the TikTok security team should be commended for the swiftness and efficiency of its response. 

“This case displays how the ability to coordinate research and threat intelligence sharing via expert, cross-industry collaboration is necessary to effectively mitigate issues,” said Dimitrios Valsamaras, of the Microsoft 365 Defender Research Team.

“As threats across platforms continue to grow in numbers and sophistication, vulnerability disclosures, coordinated response, and other forms of threat intelligence sharing are needed to help secure users’ computing experience, regardless of the platform or device in use.”

Although the patch will already have made its way to the majority of TikTok-ers, concerned users can guarantee they are protected by updating their app to the latest version.