A vulnerability in the TikTok app for Android could let attackers take over any account that clicks on malicious links, potentially affecting hundreds of millions of users of the platform.

One click exploit details today. appeared in blog post From researchers on Microsoft’s 365 Defender research team. The vulnerability was disclosed by Microsoft to TikTok, and has since been patched.

The bug and its resulting attack, termed a “high-severity vulnerability”, could have been used to hijack any TikTok user’s account on Android without their knowledge, once they had installed a specially crafted Clicked on the given link. After clicking on the link, the attacker will have access to all of the primary functions of the account, including the ability to upload and post videos, send messages to other users, and view private videos stored in the account.

The potential impact was huge, as it affected all global variants of the Android TikTok app, which has a total of over 1.5 billion downloads on the Google Play Store. However, there is no evidence that it was extensively exploited. The researchers involved in the discovery and disclosure praised TikTok for its quick response.

“We informed them about the vulnerability and collaborated to help fix the issue,” said Tanmay Ganacharya, partner director of security research at Microsoft Defender for Endpoint ledge, “TikTok responded quickly, and we appreciate the efficient and professional solutions from the security team.”

According to the details published in the blog post, the vulnerability affected deep link Android app functionality. This deep link handling tells the operating system to let certain apps process links in a specific way, such as HTML embedded in a webpage, to follow a user after clicking a “Follow this account” button. To open the Twitter app.

This link handling also includes a verification process that restricts the actions an application can take when a given link is loaded. But the researchers found a way to bypass this verification process and perform a number of potentially weaponizable functions within the app.

One of these functions lets them retrieve an authentication token tied to a certain user account, effectively granting account access without the need to enter a password. In a proof-of-concept attack, researchers created a malicious link that, when clicked, changed the bio of a TikTok account to read “security breach”.

Microsoft

Fortunately, the vulnerability was discovered, and Microsoft has used this opportunity to emphasize the importance of collaboration and coordination between technology platforms and vendors.

Microsoft’s Dimitrios Valsamaras wrote, “As the number and sophistication of threats on the platform continues to grow, there is a need for vulnerability disclosure, coordinated response, and other forms of threat intelligence sharing, in order to protect the computing experience of users.” I can get help.” in blog post. “We will continue to work with the larger security community to research and share intelligence about threats in an effort to create better security for all.”

Although the TikTok app hasn’t suffered any major hacks so far, some critics have termed it a security risk among other reasons.

Recently, concerns have been raised about the extent to which US users’ data could be accessed by China-based engineers at TikTok’s parent company ByteDance. In July, the leaders of the Senate Intelligence Committee Met with FTC President Leena Khan to investigate TikTok The questions came after reports claimed that data on US users had been siphoned off from the company’s Chinese arm.

Tiktok did not respond to questions from ledge till the time of publication.