When you’re a creator, your social media accounts are your lifeblood. The best two-factor authentication apps and password managers are absolutely critical to keeping those accounts safe, but they can only do so much when the apps you're using themselves are vulnerable. Imagine clicking on a link that gives a random person unrestricted access to your TikTok account, complete with permission to make private videos public, access your messages, change your bio, and even upload new content. One tap on a targeted link could have spelled the end of your account as you knew it, but thankfully, Microsoft swooped in and identified this vulnerability before any widespread disaster.
The vulnerability takes advantage of the way the app handles deeplinks. Android apps like TikTok declare in the app manifest how they want to handle these kind of links to content within them — deeplinks are essentially very specific hyperlinks which give you access to individual components and functions of an app. And the manifest ensures that clicking on an m.tiktok.com link in your web browser takes you to the TikTok app. The app is supposed to only load the content on the WebView component after URL validation, so something like Instagram Reels (hosted on a different domain and URL) doesn’t accidentally open in the TikTok app.
Microsoft discovered that attackers could bypass deeplink verification and load whatever URLs they please with TikTok’s WebView component. And since the WebView component also has access to JavaScript bridges, malicious code accessed via a URL like that code can connect with application-level objects (code blocks for in-app actions and components). This could have lead to data leakage, data corruption, and even malicious code execution without your knowledge. All the victim would have had to do is click a targeted link.
The affected TikTok app packages have over 1.5 billion Google Play Store downloads in total. Microsoft informed TikTok of the vulnerability back in February 2022, and the app’s developers worked to patch the issue identified as CVE-2022-28799. So, if you haven’t updated TikTok in a while, we suggest you do so right away.
We are happy security researchers got to this vulnerability before bad actors could, and Microsoft says it isn’t aware of any such exploits spotted in the wild. Discoveries like these serve as a constant reminder to keep your installed apps and operating systems as up-to-date as possible.