TikTok is a popular entertainment app with more than 1.5 billion downloads in the Google Play Store alone. Microsoft recently discovered a high-severity security vulnerability in the TikTok Android app that allowed attackers to compromise user accounts with a single click.
Attackers could have hijacked a TikTok account of a targeted user when they user clicks a specially crafted link. By eliciting such methods, an attacker could:
- Retrieve the user’s authentication tokens by triggering a request to a controlled server and logging the cookie and the request headers
- Retrieve or modify the user’s TikTok account data, such as private videos and profile settings, by triggering a request to a TikTok endpoint and retrieving the reply via the JavaScript callback.
Microsoft notified TikTok of the security vulnerability through coordinated vulnerability disclosure and TikTok has already issued a patch to fix this issue.
This coordinated disclosure shows how collaboration within the security community is crucial.
