Don’t panic, because it’s been fixed for a long time now, but Android users should really think twice before clicking on links in the TikTok app after security flaws were discovered and reported that made ridiculously easy theft of other accounts with a simple link. Although this has been resolved for now, it’s still a good idea not to click on unknown links and with such a simple exploit, it’s still a good idea to always be vigilant.
According to BleepingComputer, (opens in a new tab) Microsoft reported the flaw to TikTok in February, but given the potential severity, it’s not too surprising that we haven’t heard about it until now. With a well-crafted malicious link, more than 70 JavaScript methods could be used to access the app’s web view, which is only used by the Android app.
From there, those with malicious intent can wreak all kinds of havoc on users’ accounts. They can edit and view almost any data, including profile settings and private videos. Due to the ability to make authenticated requests through the webview, it’s by no means an exaggeration to say that they could completely take over the account.
“Attackers could have exploited the vulnerability to hijack an account without users’ knowledge if a targeted user simply clicked on a specially crafted link,” the Microsoft 365 Defender research team said. (opens in a new tab)said Dimitrios Valsamaras, adding that “attackers could then have accessed and modified users’ TikTok profiles and sensitive information, for example by posting private videos, sending messages and uploading videos on behalf of users.”
Tips and Advice
How to buy a graphics card (opens in a new tab): advice on buying a graphics card in the barren silicon landscape in 2021
The surprising, but good, news is that it appears the flaw didn’t appear to have been exploited while it was active, which is exactly why it was likely kept under wraps for some time. And it looks like TikTok has fixed the issue, in between attempts to get into games (opens in a new tab).
Microsoft investigations found no evidence of an attack using the link exploits, so hopefully it wasn’t discovered by bad actors at the time. Although given TikTok’s young audience, not clicking on weird links online might have finally become common sense.
TikTok, like all apps, is by no means a perfect example of security and it’s always wise to keep an open mind on the internet. Keep unclicking those links while you enjoy your crazy dancing, angry emus and huskies singing with saxophones (opens in a new tab).