TikTok users were at risk of having their accounts compromised because of a clickable vulnerability. More than 1.5 billion copies of the TikTok Android app were affected by the CVE-2022-28799 flaw.
According to a long post by Microsoft’s 365 Defender Research Team, the company was notified of the vulnerability in February and quickly provided a patch to fix it. The researchers praised the speed and accuracy of the TikTok security team’s response. We strongly recommend that all TikTok users update to the latest version.
Deep linking is an Android feature that lets apps handle certain connections in exact ways; the fault was in how TikTok implemented it. For example, when a user hits an embed button in Chrome, the Reddit app is launched on their mobile device. This is a positive application of deep linking.
Therefore, a hacker might use the flaw to view users’ private recordings, submit videos, and send messages on their behalf. Microsoft claims it has found no evidence that the vulnerability was exploited in the wild.
In comments to The Record, a TikTok representative echoed this sentiment and brought up the fact that HackerOne now manages the company’s bug bounty program.
Together with Microsoft’s security experts, we were able to pinpoint a flaw in the app’s code and release a fix for it in a timely manner. The Microsoft researchers’ assistance in identifying and fixing any issues is greatly appreciated, the representative stated.
In recent years, the company has fought against claims from politicians and government officials that the information it collects and its ties to China make it a security risk.
Check Point researchers reported in February 2018 that a vulnerability had allowed unauthorized access to consumers’ private information. That same company discovered vulnerabilities in 2020 that would have allowed hackers to hijack accounts by sending users malicious links in communications.