Microsoft saves TikTok users after reporting vulnerability leading to "one-click account hijacking"

Reading time icon 3 min. read


Readers help support MSpoweruser. We may get a commission if you buy through our links. Tooltip Icon

Read our disclosure page to find out how can you help MSPoweruser sustain the editorial team Read more

While the world is busy enjoying the craze over the TikTok app, users of the well-famed video-sharing platform are clueless that they almost fell victim to a vulnerability that could have let bad actors breach their accounts months ago. Thankfully, it was prevented before being noticed by bad actors after Microsoft reported it to TikTok, which immediately resolved it.

Microsoft spotted the vulnerability labeled “CVE-2022-28799” and reported it to TikTok last February through its Coordinated Vulnerability Disclosure (CVD) via Microsoft Security Vulnerability Research (MSVR). According to the tech giant, the issue had a high severity status with a score of 8.3.

Although no evidence was found that CVE-2022-28799 was exploited in the wild, the vulnerability put billions of TikTok user accounts in danger. Specifically, the problem involved Android users of the app, which has different variants with combined installations of over 1.5 billion downloads on the Google Play Store. If successful, it could have allowed bad actors to enter different accounts, post videos and view private ones, read the user’s messages, retrieve account data, and even modify the settings.

screenshot of a compromised TikTok account
An example of a compromised TikTok account shared by Microsoft.

The attack can start when a user clicks a “specially crafted malicious link.” According to Microsoft, it became possible when it was discovered that CVE-2022-28799 allowed the bypass of the TikTok app’s deeplink verification. “Attackers could force the app to load an arbitrary URL to the app’s WebView, allowing the URL to then access the WebView’s attached JavaScript bridges and grant functionality to attackers,” the Microsoft 365 Defender Research Team explained in its blog post.

With this, Microsoft encouraged users to prevent similar scenarios by observing some security guidelines, like ignoring links from untrusted sources, regularly updating devices and apps, avoiding app installations from untrusted sources, and reporting. Additionally, the company praised the quick action performed by TikTok while underlining the importance of collaboration.

“This case displays how the ability to coordinate research and threat intelligence sharing via expert, cross-industry collaboration is necessary to effectively mitigate issues,” Microsoft said. “As threats across platforms continue to grow in numbers and sophistication, vulnerability disclosures, coordinated response, and other forms of threat intelligence sharing are needed to help secure users’ computing experience, regardless of the platform or device in use. We will continue to work with the larger security community to share research and intelligence about threats in the effort to build better protection for all.”

Despite this, problems caused by vulnerabilities aren’t the only security issues being faced by TikTok users. ByteDance and TikTok have their reputation being questioned by many due to reports of being used by the Chinese government for its own agendas. Aside from a report saying TikTok employees repeatedly accessed the US user data from China, a new concern emerged after it was found that some LinkedIn profiles of TikTok workers show they are simultaneously working for the Chinese state media.

User forum

0 messages