Microsoft researchers discovered a serious vulnerability in TikTok that threatened user accounts’ security. Specifically, they found an account hijacking vulnerability in the TikTok Android app.
TikTok App Account Hijacking Vulnerability
As elaborated in a recent blog post, Microsoft’s research team analyzed the TikTok Android app and found an account hijacking vulnerability. The researchers explained that they examined the TikTok app “flavors” – com.ss.android.ugc.trill (for East and Southeast Asia) and com.zhiliaoapp.musically (for other regions) – and noticed the vulnerability affecting both versions.
The subsequent exposure of Java methods to the attacker permitted hijacking of the target TikTok account via WebView.
In a real-world scenario, an attacker exploiting this vulnerability could retrieve the target user’s authentication tokens, access account information, modify account details, and even access private videos.
The researchers have shared the technical details and the proof of concept for this attack in their post.
TikTok Patched The Flaw
Following this discovery, the researchers contacted the TikTok team to report the matter. This security issue has received the identification number CVE-2022-28799 and a severity score of 8.3. According to the bug description in a HackerOne report,
TikTok have since patched the vulnerability and released the fix with TikTok for Android version 23.7.3. TikTok released numerous subsequent updates to the app.