Microsoft Spies A One-Click Account Hijacking Exploit In TikTok's Android App
Microsoft security researchers discovered and analyzed the vulnerability, then disclosed their research to TikTok in February of this year. While TikTok may have questionable user data practices, it is in the social media platform's interest to protect user accounts from unauthorized access. According to Microsoft, the social media company had a quick response time. It pushed out a fix for the vulnerability in less than a month after being notified. Microsoft waited until now to publicly disclose the vulnerability so TikTok users would have time to update the Android app. The vulnerability affected versions of the app prior to 23.7.3, while the latest version of the app, released today, is 25.9.4.
The image above shows a user profile with the biography changed by this method to read “!! SECURITY BREACH !!!” However, beyond just changing the profile biography, the attacker could have used the stolen tokens to upload videos, publicize private videos, and send messages. A malicious attacker armed with this exploit could have wreaked havoc on unsuspecting users who simply opened a link. Thankfully, TikTok users don’t have to worry about this vulnerability, so long as they’ve been applying updates.