Microsoft discovered a high-severity vulnerability within the TikTok Android app that allowed attackers to send messages, access, and upload videos, without users’ knowing.
Android applications for TikTok are among the most popular apps on Google Store, with over 1.5 billion total downloads.
Researchers determined that the flaw affected both regional versions of the TikTok app. One version is meant for East and Southeast Asia, while another is for the rest of the world.
To exploit the vulnerability (CVE-2022-28799), attackers would have needed to chain together several issues. The critical element, however, is a tailor-made malicious link. Researchers claim that once the first step was completed, attackers could have accessed a trove of personal data.
“Attackers could have then accessed and modified users’ TikTok profiles and sensitive information, such as by publicizing private videos, sending messages, and uploading videos on behalf of users,” Microsoft researchers said in a blog post.
The flaw allowed bypassing TikTok’s deeplink verification. In turn, attackers could force the app to load any URL to WebView, an Android component used to display web content.
“In short, by controlling any of the methods able to perform authenticated HTTP requests, a malicious actor could have compromised a TikTok user account,” Microsoft researchers said.
Researchers informed TikTok about the flaw in February and claimed that the company cooperated to fix the bug. Microsoft said there’s no data to confirm the flaw was exploited in the wild.
Last September, researchers discovered a TikTok flaw that released access to user phone numbers. If exploited, the vulnerability would have enabled attackers to build a database of users and their related phone numbers, which could then be used for malicious activity.
More from Cybernews:
Subscribe to our newsletter