Don’t freak out, as it’s long resolved now, but Android users should really think twice before clicking any links in the TikTok app after security flaws were found and reported that made it ridiculously easy to steal others accounts with a simple link. While it’s been addressed for now, it’s always good internet security advice to not go clicking unknown links and with an exploit this simple it’s a good idea to be ever vigilant out there.
From there, those with malicious intent can wreak all sorts of havoc on the users’ account. They can modify and view basically all the data, including profile settings and private videos. Due to the ability to perform authenticated requests through the webview, it’s by no means a stretch to say they could completely take over the account.
“Attackers could have leveraged the vulnerability to hijack an account without users’ awareness if a targeted user simply clicked a specially crafted link,” Microsoft 365 Defender Research Team (opens in new tab)‘s Dimitrios Valsamaras said, adding “Attackers could have then accessed and modified users’ TikTok profiles and sensitive information, such as by publicizing private videos, sending messages, and uploading videos on behalf of users.”
Tips and advice
How to buy a graphics card (opens in new tab): tips on buying a graphics card in the barren silicon landscape that is 2021
The surprising, yet good news is it seems the flaw doesn’t seem to have been exploited while active, which is exactly why it was likely kept under wraps for a while. And it does look like TikTok has fixed the issue, in between trying to get into games (opens in new tab).
Microsoft’s investigations didn’t find evidence of an attack using the link exploits, so hopefully it wasn’t discovered by bad actors at the time. Though given TikTok’s youthful audience, it could…