Thanks to a vulnerability that allowed threat actors to bypass the app’s deeplink verification, to take over a victim’s TikTok account, hackers simply had to get victims to click a “specially crafted link.” According to Microsoft, the vulnerability has been fixed. The researchers said they “did not locate any evidence of in-the-wild-exploitation” of the vulnerability.
One-Click Account Compromise
In a blog post, Microsoft researchers shed light on the TikTok vulnerability that allows hackers to exploit a JavaScript bridge to inject code and hijack users’ accounts, they explained. “Attackers could force the app to load an arbitrary URL to the app’s WebView, allowing the URL to then access the WebView’s attached JavaScript bridges and grant functionality to attackers,” the Microsoft 365 team said. Clicking on a link is all it takes for hackers to gain access. A script is run that “modifies the user’s biography information” to something eye-catching like “SECURITY BREACH.” This compels users to click a link that gives the attacker access to the JavaScript bridge and the ability to invoke exposed functionalities in the TikTok app, essentially giving the hackers full control over the account. “Attackers could have then accessed and modified users’ TikTok profiles and sensitive information, such as by publicizing private videos, sending messages, and uploading videos on behalf of the users,” the researchers said. The Microsoft team found 70 ways hackers could have taken advantage of the JavaScript code of pages loaded on WebView to hack TikTok accounts.
No Evidence of Exploitation
Microsoft’s security team first notified TikTok about the issue in February 2022, and TikTok quickly fixed it, the report said. The vulnerability only affects versions of the TikTok application older than 23.7.3. Although this issue has been fixed, Microsoft recommended that users avoid clicking links from an unknown source, keep devices and applications updated, never use untrusted applications, and report anything suspicious to the device vendor. A lot goes on behind the scenes when you open a web browser. A recent report revealed that Meta alters the code of websites users open with the Facebook and Instagram in-app browsers. This allows the company to track users’ activities. Social engineering attacks have become increasingly common in recent years. Threat actors usually rely on getting users to click a malicious links to snare them in phishing schemes. Our in-depth guide to phishing contains valuable information about this cyber threat and how you can protect yourself. If you’re concerned about the safety of your privacy on TikTok, our article on the privacy risks of TikTok is a good resource.