Today, Microsoft has disclosed a vulnerability within the TikTok Android app, which allowed attackers to access user accounts with a single click. This follows a recent clarification by TikTok on a suspected data breach in the U.S.
The specifics of the exploit required several issues to be chained together to function, and the issue has already been fixed, with no evidence of in-the-wild exploitation. Attackers would have been able to make use of this without the users" awareness if it had been utilised.
The vulnerability itself allowed attackers to bypass the deep link verification of the app, forcing it to load an arbitrary URL to the app"s WebView allowing it to access the attached JavaScript bridges and grant functionality.
There are two different variations of the TikTok app, one for East and South East Asia, and the other for the remaining countries. Both were affected by this exploit, and Microsoft notified TikTok back in February 2022 of the issue.
TikTok released an update to the app in March 2022, working with Microsoft to close the loophole quickly. Thankfully the attack was not actively exploited as this could have been used to post videos and other content to the platform without being detected. Microsoft once again reiterated that JavaScript should be avoided where possible, as it can prevent significant risks.