A critical vulnerability has just been found by Microsoft in the TikTok Android app, which could allow hackers to take over millions of accounts.
According to Engadget, a report from Microsoft’s 365 Defender research team detailed how hackers were able to attack users with one click, which the company reported to TikTok in February. The streaming service provider This information then quickly patched the vulnerability before Microsoft disclosed them, and Microsoft said it had no evidence that the vulnerability was exploited by anyone.
“We provided them with information about the vulnerability and worked together to help fix it,” said Microsoft security researcher Tanmay Ganacharya. TikTok responded quickly and we commend the efficient and professional resolution from their security team.”
Microsoft says the vulnerability is related to the monitoring of TikTok’s deep linking functionality. On Android, developers can program their apps to handle certain URLs in specific ways. For example, when a user taps on Twitter embedded in Chrome and the result is the Twitter app automatically opening on their phone.
However, Microsoft has found a way to bypass the verification process that TikTok has put in place to restrict deep links from taking certain actions. They later discovered that they could use that vulnerability to gain access to all major account functions, including the ability to post content and message, other TikTok users. The vulnerability is present in both global versions of the TikTok for Android app with over 1.5 billion downloads, so the potential impact of the vulnerability is significant if TikTok doesn’t fix it.
Microsoft recommends that all TikTok users on Android download the latest version of the app as soon as possible. Users are advised to avoid downloading apps from external sources to avoid editing APK files.
