Microsoft has revealed a vulnerability in TikTok's mobile apps for Android that hackers could have exploited to gain control over someone's account with naught but a single click.
"Attackers could have leveraged the vulnerability to hijack an account without users’ awareness if a targeted user simply clicked a specially crafted link," Microsoft says. "Attackers could have then accessed and modified users’ TikTok profiles and sensitive information, such as by publicizing private videos, sending messages, and uploading videos on behalf of users."
The flaw is said to have been present in both versions of TikTok's app for Android—one for East and Southeast Asia and one for everywhere else—before it was disclosed in February. Microsoft says these apps have more than 1.5 billion downloads combined.
"The TikTok application before 23.7.3 for Android allows account takeover," TikTok says in the Mitre database entry for CVE-2022-28799. "A crafted URL (unvalidated deeplink) can force the com.zhiliaoapp.musically WebView to load an arbitrary website. This may allow an attacker to leverage an attached JavaScript interface for the takeover with one click."
Microsoft says the vulnerability "has been fixed and we did not locate any evidence of in-the-wild exploitation." The company advises TikTok for Android users to make sure they're using the most recent version of the app. (Especially since hackers are more likely to attempt to exploit the security flaw now that it's been publicized with several proofs of concept from Microsoft itself.)
TikTok released version 23.7.3 for Android on March 22, according to Softpedia, so users with automatic updates enabled should already have a newer version of the app installed. Additional information about the vulnerability and how it can be exploited in affected versions of the software is available via Microsoft's blog post as well as HackerOne and GitHub.