After internal tests, microsoft discovered an exploit in the Android version of TikTok which could have given attackers access to large amounts of personal data with a single click.
The vulnerability has since been patched, and it doesn’t appear that anyone has been affected by the exploit. Attackers could have used this vulnerability to access user profiles, allowing outside forces to advertise private videos, send messages, and even upload videos.
The exploit took advantage of the way TikTok handles WebView code by bypassing deep link checking. When a TikTok user selects an affected deep link, the URL could access JavaScript bridges that gave the attackers functionality in the account. JavaScript bridges continue to pose a security risk in a variety of applications, with Microsoft, in a blog post, emphasizing how “…collaboration within the security community is necessary to improve the defenses of the digital ecosystem as a whole.”
The exploit could have affected more than 1.5 billion installations of TikTok from the Google Play Store.
The vulnerability is actually a combination of several issues that, when combined, could give attackers access to these accounts. Microsoft details all of its findings and how it discovered the exploit in its in-depth blog post.
When Microsoft notified the TikTok security team of the issue, “they responded by releasing a fix to address the reported vulnerability, now identified as CVE-2022-28799, and users can refer to the CVE entry for more information. We commend the efficient and professional resolution of the TikTok security team.”
News of this exploit comes on the heels of frequent reports from the excessive TikTok data collection. Hopefully, this quick patch reflects how seriously the company takes users’ data and privacy. Microsoft and TikTok recommend that you double check to make sure you are on the latest version of the app to avoid any issues.
Publisher Recommendations
es.digitaltrends.com