TikTok: a flaw allowed undetectable access to accounts

Microsoft has reported a flaw to TikTok that allowed a hacker to access user accounts without their knowledge. The vulnerability, since corrected, was present at the level of the Android application of the social network which has more than a billion users in the world.

Tik Tok Logo

This flaw, which affected TikTok on Android with version 23.7.3 and lower, required the chaining of several elements to be exploited. According to Microsoft, no one has exploited it. This means that no user was likely to have been affected by this vulnerability.

There are actually two versions of TikTok on Android, one for East and Southeast Asia, and another for the rest of the world. Microsoft performed a vulnerability assessment and found that both versions were affected.

The vulnerability itself allowed attackers to bypass the application’s deep link check, by forcing it to load an arbitrary URL into the application’s WebView, which allowed access to elements of the JavaScript and grant privileges. The attacker could also have retrieved the user’s authentication tokens by initiating a request to a controlled server and saving the request cookie and headers.

Microsoft notified TikTok of the flaw in February 2022. A patch update was released in March. However, Microsoft only revealed its existence today.

Leave a Comment