Microsoft has revealed a vulnerability in TikTok’s mobile apps for Android that hackers could have exploited to gain control over someone’s account with naught but a single click.
“Attackers could have leveraged the vulnerability to hijack an account without users’ awareness if a targeted user simply clicked a specially crafted link,” Microsoft says(Opens in a new window). “Attackers could have then accessed and modified users’ TikTok profiles and sensitive information, such as by publicizing private videos, sending messages, and uploading videos on behalf of users.”
The flaw is said to have been present in both versions of TikTok’s app for Android—one for East and Southeast Asia and one for everywhere else—before it was disclosed in February. Microsoft says these apps have more than 1.5 billion downloads combined.
Microsoft says the vulnerability “has been fixed and we did not locate any evidence of in-the-wild exploitation.” The company advises TikTok for Android users to make sure they’re using the most recent version of the app. (Especially since hackers are more likely to attempt to exploit the security flaw now that it’s been publicized with several proofs of concept from Microsoft itself.)
Recommended by Our Editors
TikTok released version 23.7.3 for Android on March 22, according to Softpedia(Opens in a new window), so users with automatic updates enabled should already have a newer version of the app installed. Additional information about the vulnerability and how it can be exploited in affected versions of the software is available via Microsoft’s blog post as well as HackerOne(Opens in a new window) and GitHub(Opens in a new window).
Like What You’re Reading?
Sign up for SecurityWatch newsletter for our top privacy and security stories delivered right to your inbox.