TikTok Android Microsoft

TikTok is a popular entertainment app with more than 1.5 billion downloads in the Google Play Store alone. Microsoft recently discovered a high-severity security vulnerability in the TikTok Android app that allowed attackers to compromise user accounts with a single click.

Attackers could have hijacked a TikTok account of a targeted user when they user clicks a specially crafted link. By eliciting such methods, an attacker could:

  • Retrieve the user’s authentication tokens by triggering a request to a controlled server and logging the cookie and the request headers
  • Retrieve or modify the user’s TikTok account data, such as private videos and profile settings, by triggering a request to a TikTok endpoint and retrieving the reply via the JavaScript callback.

Microsoft notified TikTok of the security vulnerability through coordinated vulnerability disclosure and TikTok has already issued a patch to fix this issue.

This coordinated disclosure shows how collaboration within the security community is crucial.