TikTok bug could have let hackers take over your account — what you need to know
Be careful about what links you click
A vulnerability in the Android TikTok app meant hackers could have taken over your account. While this theoretically put millions of users at risk, it was only possible if you clicked on a malicious link.
Details about this newly-found one-click exploit have been revealed by Microsoft's 365 Defender Research Team. The team labeled the exploit a “high severity vulnerability” and informed TikTok of their findings. The social app promptly patched it, but it goes to show how easily users could have lost their accounts.
The basics of this exploit mean that after users clicked a specially crafted link, attackers would have access to all primary functions of the TikTok account in question. That includes uploading videos, sending messages and viewing videos privately stored on the account.
Microsoft went into specifics, noting that the exploit worked with researchers finding ways to bypass TikTok’s deeplink verification. This forced the app to open a random URL, and allowed that URL to access WebView’s attached JavaScript bridges.
From there researchers were able to retrieve authentication tokens for the account, letting them access it without a password. Fortunately, this exploit was a proof of concept attack, and there’s no evidence any hackers or other bad actors ever took advantage of it.
The security team notes that TikTok for Android is available in two variants: one for East and Southeast Asia, and another for all remaining countries. Both versions of the app were affected by this issue, and have a combined 1.5 billion downloads on Google Play.
That shows you just how serious and widespread a problem this vulnerability actually was. Thankfully, TikTok was informed of the vulnerability back in February, and “quickly responded” by developing a fix.
Sign up to get the BEST of Tom's Guide direct to your inbox.
Get instant access to breaking news, the hottest reviews, great deals and helpful tips.
There’s no mention of iOS, or iPhones, in Microsoft’s blog post, suggesting those devices didn’t have the same vulnerability.
There are some things users can do to make sure this kind of attack never happens to them. The first is to ensure you have the latest version of the TikTok app installed. The other is to avoid clicking suspicious links, especially those from unknown sources. As this vulnerability shows, even something as simple as clicking a random link can have far-reaching consequences.
Be sure to check out our guide on how to keep your social media accounts safe, and seven ways you can improve your online security for free. It's also worth investing in one of the best internet security suites and one of the best VPNs to add some extra layers to your online security, and should a ban in the US occur, a quality TikTok VPN may be of use as well.
Tom is the Tom's Guide's UK Phones Editor, tackling the latest smartphone news and vocally expressing his opinions about upcoming features or changes. It's long way from his days as editor of Gizmodo UK, when pretty much everything was on the table. He’s usually found trying to squeeze another giant Lego set onto the shelf, draining very large cups of coffee, or complaining about how terrible his Smart TV is.