The Microsoft 365 Defender Research Team reported (opens in new tab) that a nasty vulnerability was found on the TikTok app for Android. Fortunately, the “high-severity” bug labeled as CVE-2022-28799 is now fixed.
TikTok bug could have affected millions of users
Microsoft’s cybersecurity research team described the bug as a one-click exploit. Cybercriminals could take advantage of the vulnerability by baiting TikTok users with a “specially crafted link.” After a single click, malicious actors could gain immediate access to victims’ TikTok accounts, which means they can view their sensitive information. The attackers could also publicize private videos, send messages, and upload videos on victims’ behalf. “The vulnerability allowed the app’s deeplink verification to be bypassed,” the Microsoft 365 Defender Research Team said. “Attackers could force the app to load an arbitrary URL to the app’s WebView, allowing the URL to then access the WebView’s attached JavaScript bridges and grant functionality to attackers. " Microsoft’s cybersecurity team added that TikTok has two Android-based variants: one for East and Southeast Asia and another for the rest of the world. It analyzed both and discovered that the vulnerability affected “both flavors of the app.” Collectively, they have over 1.5 billion installations via the Google Play Store. Fortunately, to ease some users’ concerns, “there’s no evidence it was exploited by bad actors,” a TikTok spokesperson told The Verge. As mentioned, TikTok already patched the vulnerability; the Microsoft 365 Defender Research team praised the social media app for its swift response. “We commend the efficient and professional resolution from the TikTok security team,” the blog post said. Although the exploit was rectified, it’s important that you use the latest version of TikTok to ensure that you’re using the most secure version of the app.