Home Top Global NewsTechnology A ‘high severity’ TikTok vulnerability allowed one-click account hijacking

A ‘high severity’ TikTok vulnerability allowed one-click account hijacking

by Ozva Admin

A vulnerability in the TikTok Android app could have allowed attackers to take over any account that clicked on a malicious link, potentially affecting hundreds of millions of users on the platform.

Details of the one-click vulnerability were revealed today in a blog post from researchers on the Microsoft 365 Defender research team. The vulnerability was disclosed to TikTok by Microsoft and has since been patched.

The bug and its resulting attack, labeled a “high severity vulnerability,” could have been used to hijack any TikTok user’s account on Android without their knowledge, once they clicked on a specially crafted link. After clicking the link, the attacker would have access to all the main features of the account, including the ability to upload and post videos, send messages to other users, and view private videos stored in the account.

The potential impact was huge, affecting all global variants of the TikTok Android app, which has a total of over 1.5 billion downloads on the Google Play Store. However, there is no evidence that it was exploited by bad actors,” said TikTok spokeswoman Maureen Shanahan. “Researchers involved in the discovery and disclosure praised TikTok for its quick response.”

Microsoft confirmed that TikTok was quick to respond to the report. “We provided them with information about the vulnerability and collaborated to help fix this issue,” said Tanmay Ganacharya, associate director of security research at Microsoft Defender for Endpoint. the edge. “TikTok responded quickly and we commend the efficient and professional resolution of the security team.”

According to the details published in the blog post, the vulnerability affected the deep link Android app functionality. This deep link handling tells the operating system to allow certain applications to process links in a specific way, such as opening the Twitter application to follow a user after clicking the HTML “Follow this account” button embedded in a page. Web page.

This link handling also includes a verification process that should restrict the actions taken when an application loads a given link. But the researchers found a way to bypass this verification process and run a number of potentially buildable functions within the app.

One of these features allows them to retrieve an authentication token tied to a certain user account, effectively granting access to the account without the need to enter a password. In a proof-of-concept attack, researchers created a malicious link that, when clicked, changed a TikTok account’s bio to read “SECURITY BREACH.”

A screenshot of a compromised account.
Microsoft

Fortunately, the vulnerability was discovered, and Microsoft used the opportunity to emphasize the importance of collaboration and coordination between technology platforms and vendors.

“As cross-platform threats continue to grow in number and sophistication, vulnerability disclosures, coordinated responses, and other ways to share threat intelligence are needed to help protect the computing experience of users, regardless of platform or device. use,” wrote Dimitrios Valsamaras of Microsoft. in the blog post. “We will continue to work with the broader security community to share research and threat intelligence in an effort to create better protection for all.”

Although the TikTok app is not known to have suffered any major attacks so far, some critics have called it a security risk for other reasons.

Recently, concerns have been raised about the extent to which China-based engineers at ByteDance, the parent company of TikTok, can access US user data. In July, the leaders of the Senate Intelligence Committee asked FTC chair Lina Khan to investigate TikTok after reports disputed claims that US user data was isolated from the company’s Chinese branch.

Correction and update: This story has been updated with a statement from TikTok. An earlier version of this article said that TikTok did not respond at the time of publication. In fact, The Verge received his comment but did not include it. We are sorry for the mistake.

You may also like

Leave a Comment