A “high severity” security flaw in TikTok’s Android app put hundreds of millions of the popular social media app’s users at risk of having their accounts hijacked, Microsoft’s cybersecurity team said Wednesday.
The flaw would have let hackers take over a TikTok user’s account by getting them to click on a single link, the researchers said.
“Attackers could have leveraged the vulnerability to hijack an account without users’ awareness if a targeted user simply clicked a specially crafted link,” Dimitrios Valsamaras of Microsoft’s 365 Defender research team wrote.
“Attackers could have then accessed and modified users’ TikTok profiles and sensitive information, such as by publicizing private videos, sending messages, and uploading videos on behalf of users.”
TikTok fixed the flaw after being notified by Microsoft and there’s no evidence it was actually exploited by hackers, both companies said.
The iPhone version of the app was reportedly not affected.
The Chinese-owned social media app has more than 1 billion active users.
“Through our partnership with security researchers at Microsoft, we discovered and quickly fixed a vulnerability in some older versions of the Android app,” a TikTok spokesperson told The Post. “We appreciate the Microsoft researchers for their efforts to help identify potential issues so we can resolve them.”
If the flaw hadn’t been discovered, it could have affected hundreds of millions of Android users across the globe. TikTok’s app has been downloaded through the Google Play Store more than 1.5 billion times.
According to Microsoft’s report, the security team was able to create a link that gave them access to a user’s account without their password.
When a user clicked on the link as part of a test, Microsoft was able to change the user’s account to “!! SECURITY BREACH !!!”
“This case displays how the ability to coordinate research and threat intelligence sharing via expert, cross-industry collaboration is necessary to effectively mitigate issues,” Valsamaras wrote. “We will continue to work with the larger security community to share research and intelligence about threats in the effort to build better protection for all.”
