Microsoft found a severe one-click exploit in TikTok’s Android app

Thankfully, TikTok patched the vulnerability.

Sponsored Links

TikTok closeup logo displayed on a phone screen, smartphone and keyboard are seen in this multiple exposure illustration. Tik Tok is a Chinese video-sharing social networking service owned by a Beijing based internet technology company, ByteDance.  It is used to create short dance, lip-sync, comedy and talent videos. ByteDance launched TikTok app for iOS and Android in 2017 and earlier in September 2016 Douyin fror the market in China. TikTok became the most downloaded app in the US in October 2018. President of the USA Donald Trump is threatening and planning to ban the popular video sharing app TikTok from the US because of the security risk. Thessaloniki, Greece - August 1, 2020 (Photo by Nicolas Economou/NurPhoto via Getty Images)
NurPhoto via Getty Images

A serious vulnerability found by Microsoft in the TikTok Android app could have allowed hackers to hijack millions of accounts. On Wednesday, the company’s 365 Defender Research Team detailed a one-click exploit it informed TikTok of in February. The good news is that the social media company promptly patched the vulnerability before today’s disclosure and Microsoft says it has no evidence of someone using it out in the wild.

“We gave them information about the vulnerability and collaborated to help fix this issue,” Microsoft’s Tanmay Ganacharya told The Verge. “TikTok responded quickly, and we commend the efficient and professional resolution from the security team.”

According to Microsoft, the vulnerability involved an oversight with TikTok’s deep linking functionality. On Android, developers can program their apps to handle certain URLs in specific ways. For instance, when you tap on a Twitter embed in Chrome and the Twitter app automatically opens on your phone as a result, that’s an example of the deep linking feature working as intended.

Turn on browser notifications to receive breaking news alerts from Engadget
You can disable notifications at any time in your settings menu.
Not now

However, Microsoft found a way to bypass the verification process TikTok had in place to restrict deep links from executing certain actions. They then discovered they could use that vulnerability to access all the primary functions of an account, including the ability to post content and message other TikTok users. The flaw was present in both global versions of TikTok’s Android app. The two releases have more than 1.5 billion downloads between them, meaning the potential impact of someone discovering the vulnerability before it was patched could have been massive.

Microsoft recommends all TikTok users on Android download the latest version of the app as soon as they can. More broadly, you can protect yourself in the future from similar exploits by not clicking on sketchy links. It’s also good practice to avoid sideloading apps as you don’t know how someone could have altered the APK.

All products recommended by Engadget are selected by our editorial team, independent of our parent company. Some of our stories include affiliate links. If you buy something through one of these links, we may earn an affiliate commission. All prices are correct at the time of publishing.
View All Comments
Microsoft found a severe one-click exploit in TikTok’s Android app