The social media app of the moment, TikTok, has a major vulnerability that could allow threat actors to take control of any account. It seems this problem affects only the Android version of the social media app.
The issue has been detailed by the Microsoft 365 Defender Research Team. In a blog post, the team explains that hundreds of millions of TikTok users could be at risk from the bug. If an intended victim interacts with malicious links, the attack could take control of their account directly.
Microsoft disclosed the bug to TikTok and the company has since issued a patch. However, like all security issues, the main problem comes from whether everybody installs the update carrying the patch.
In its write-up, Microsoft 365 Defender Research Team labels the flaw as a “high severity vulnerability.” Essentially, this means Microsoft thinks it is a potent risk to users. The company says it could have been used by attackers to hijack an account. Another concern is the breach would happen without the victim knowing.
Threat actors would generate a malicious link and send it to TikTok users. If the user clicks the link, the attacker would instantly have access to all aspects of the account. That includes being able to post videos, send/receive messages, and view stored private content.
Quick Response
While the attack was limited to Android, it did affect all global versions of the TikTok app. Android is the most popular OS in the world and TikTok one of the most popular apps. It has over 1.5 billion downloads on the platform.
It is worth noting TikTok told The Verge that “there's no evidence it was exploited by bad actors,” said TikTok spokesperson Maureen Shanahan. “Researchers involved with the discovery and disclosure praised TikTok for a quick response.”
As for Microsoft, it confirms TikTok's version of events, saying the company acted quickly to shore up the vulnerability:
“We gave them information about the vulnerability and collaborated to help fix this issue” Tanmay Ganacharya, partner director for security research at Microsoft Defender for Endpoint, told The Verge. “TikTok responded quickly, and we commend the the efficient and professional resolution from the security team.”
Microsoft details the vulnerability in its blog post. The company says the issue comes from the deep link feature in TikTok's Android app. This is the function that tells the operating system to process specific app links in a certain way. For example, open a third-party app when the user clicks a link on a webpage.
Tip of the day: Whether it's for a presentation, song, or YouTube video, at some point in your life you'll need to record audio from your computer. Windows 11 has multiple options to record sound due to its litany of apps. In our tutorial, we show you how to record audio using the built-in Windows 10 Voice Recorder and the freeware audio editor Audacity.