For clarity, Microsoft spotted the breach way back in February. It then reported the issue through Coordinated Vulnerability Disclosure (CVD) via Microsoft Security Vulnerability Research (MSVR). TikTok, once notified, patched the breach within a month. So users weren’t actually impacted by it at all. But it could have been much worse.
What breach did Microsoft find in the TikTok app for Android’s security?
Now, the breach itself was the result of a compounding chain of issues. Specifically, that’s for the Android version of the top-ranked social media app. And with versions at or older than 23.7.3. All of this culminated in a single vulnerability that, when taken advantage of, had the potential to give attackers a plethora of ways to access user data and accounts across as many as 1.5 billion installations. As many as 70 ways, in fact. In terms of how the vulnerability in question worked, Microsoft indicates that the Android app for TikTok allowed the app’s deeplink verification to be bypassed entirely. That, in turn, means that an attacker could have forced the app to load a URL in WebView. And, from that URL, via JavaScript bridges, the attacker then could have accessed user data, as well as authentication tokens for gaining full account access. The latter portion of the attack would have worked via a request to a controlled server and logging of cookies and request headers. Summarily, attackers could have instantiated an attack by luring users to click a single link to open a URL. Then, from there, the attacker could have gained access not only to private user data. But also to private videos, messaging capabilities, and every other aspect of the user’s TikTok account. Including the ability to upload videos.
