When you purchase through links on our site, we may earn an affiliate commission. Here’s how it works.

TikTok's Android app had a vulnerability giving attackers undetectable access to accounts

The TikTok logo on a white pink and blue background

Today, Microsoft has disclosed a vulnerability within the TikTok Android app, which allowed attackers to access user accounts with a single click. This follows a recent clarification by TikTok on a suspected data breach in the U.S.

The specifics of the exploit required several issues to be chained together to function, and the issue has already been fixed, with no evidence of in-the-wild exploitation. Attackers would have been able to make use of this without the users' awareness if it had been utilised.

The vulnerability itself allowed attackers to bypass the deep link verification of the app, forcing it to load an arbitrary URL to the app's WebView allowing it to access the attached JavaScript bridges and grant functionality.

There are two different variations of the TikTok app, one for East and South East Asia, and the other for the remaining countries. Both were affected by this exploit, and Microsoft notified TikTok back in February 2022 of the issue.

TikTok released an update to the app in March 2022, working with Microsoft to close the loophole quickly. Thankfully the attack was not actively exploited as this could have been used to post videos and other content to the platform without being detected. Microsoft once again reiterated that JavaScript should be avoided where possible, as it can prevent significant risks.

Report a problem with article
windows server
Next Article

Windows Server vNext Preview Build 25192 is now available

Microsoft and Linux written on the left and right respectively with a heart icon in the middle
Previous Article

Microsoft has chosen Linux distro Mariner as sole host OS for Xbox storefronts

Join the conversation!

Login or Sign Up to read and post a comment.

4 Comments - Add comment