Security researchers revealed they uncovered a massive hole in TikTok’s security that affected every single user who has downloaded the app on Android devices worldwide. But if there is any lingering hint that any users were impacted by this “high severity” security exploit, then TikTok isn’t telling.
Microsoft 365 Defender researchers reported Wednesday on a serious vulnerability in the Android version of the TikTok app, one that could have allowed bad actors to potentially gain access to all aspects of a user’s account. The researchers said they revealed the exploit to TikTok back in February through its vulnerability reporting page.
A fix for the issue was included in an update released within a month’s time, though neither the company nor the researchers could say how long the exploit had been around.
This exploit would give malicious persons access to a persons account simply if they clicked on a special link. Inside the system’s JavaScript, people with access could modify user information or profile settings. Any bad actor could have turned private videos public, sent messages to friends or strangers, or even upload videos to the user’s account. There’s a lot here that’s problematic, but perhaps the most obvious use would be to collect users’ account information, including passwords, emails, or other sensitive data. Researchers said the vulnerability was rated “high severity.”
TikTok did not answer Gizmodo’s questions about whether it knew if any users had been previously impacted by the exploit, though researchers found the exploit was present in both the East Asia version of the app, and the version of TikTok that the rest of the world uses, so essentially all 1.5 billion people who downloaded the extremely popular and lucrative app from the Google Play Store could have been susceptible.
Instead, in an email statement, a TikTok spokesperson reiterated points expressed in the Microsoft researchers’ blog post, adding: “Through our partnership with security researchers at Microsoft, we discovered and quickly fixed a vulnerability in some older versions of the Android app. We appreciate the Microsoft researchers for their efforts to help identify potential issues so we can resolve them.”
The company also pointed to its exploit bounty page it runs alongside HackerOne to try and stamp out exploits before they have the chance to hurt users. For their part, the researchers thanked the TikTok security team “for collaborating quickly and efficiently in resolving these issues.”
So how did this all work? Essentially, researchers found that TikTok had a vulnerability in the way it performed authenticated HTTP requests, specifically those that allowed for mobile deep link functionality which allows access to different parts of the app without actually going into the app itself. Have you ever accessed a Twitter post from an email or some other platform? That’s essentially a deep link.
When fishing around in this code, researchers could bypass deep link verification and access a users’ authentication token when that user clicks on a special malicious link on a controlled server that lets them log cookies. That same server can then return a HTML page with JavaScript code that can do any number of modifications to the account.
The researchers put a special emphasis on the danger that unsecured JavaScript interfaces prove, adding “we recommend that the developer community be aware of the risks and take extra precautions to secure WebView.” Recently, a separate security researcher discovered JavaScript in TikTok that could potentially record all user inputs when they were in the applications in-app browser. TikTok expressly denied that it had used that script to keylog any of its users, and that the code was there for backend debugging and troubleshooting purposes