TikTok vulnerability for One-click account Hijacking: A ‘high severity’ case

The bug and its resulting attack, labelled a “high severity vulnerability,” could have been used to hijack the account of any TikTok user on Android without their knowledge, once they clicked on a specially crafted link.

After the link was clicked, the attacker would have access to all primary functions of the account, including the ability to upload and post videos, send text to other users, and view private videos stored in the account.

A vulnerability in the TikTok app for Android could have let attackers take over any account that clicked on a malicious link, potentially affecting hundreds of millions of users of the platform. Hackers could have used the exploit to post videos, send messages, and edit account details

Details of the one-click exploit were revealed today in a blog post from researchers on Microsoft’s 365 Defender Research Team. The vulnerability was disclosed to TikTok by Microsoft, and has since been patched.

The potential impact was huge, as it affected all global variants of the Android TikTok app, which has a total of more than 1.5 billion downloads on the Google Play Store. However, there’s no evidence it was exploited at scale. Researchers involved with the discovery and disclosure praised TikTok for a quick response.

“We gave them information about the vulnerability and collaborated to help fix this issue” Tanmay Ganacharya, partner director for security research at Microsoft Defender for Endpoint, told The Verge. “TikTok responded quickly, and we commend the the efficient and professional resolution from the security team.”

According to details published in the blog post, the vulnerability affected the deep link functionality of the Android app. This deep link handling tells the operating system to let certain apps process links in a specific way, such as opening the Twitter app to follow a user after clicking an HTML “Follow this account” button embedded in a webpage.

TikTok making money

This link handling also includes a verification process that should restrict the actions performed when an application loads a given link. But the researchers found a way to bypass this verification process and execute a number of potentially weaponizable functions within the app.

One of these functions let them retrieve an authentication token tied to a certain user account, effectively granting account access without the need to enter a password. In a proof-of-concept attack, the researchers crafted a malicious link that, when clicked, changed a TikTok account’s bio to read “SECURITY BREACH.”

Fortunately, the vulnerability was detected, and Microsoft has used the opportunity to stress the importance of collaboration and coordination between technology platforms and vendors.

TikTok has encountered years of criticism for potentially exposing the data of US users to China, where TikTok’s parent organization, ByteDance, is based. In 2020, former President Donald Trump threatened TikTok with a nationwide ban and attempted to force the company into separating its US-based assets from ByteDance, calling it a threat to national security.

While TikTok never really did sell its US-based assets, it discussed making American software company Oracle its “trusted technology partner.” The deal seemed like it was on its last leg after President Joe Biden took office but ended up reemerging in March with reports of something called Project Texas.

This initiative, which refers to the Texas-based headquarters of Oracle, is supposed to guard US users’ data in Oracles servers, barring access from the China-based ByteDance. It looks like some form of this deal is underway now, as TikTok has announced its transition to Oracle’s servers.

“As threats across platforms continue to grow in numbers and sophistication, vulnerability disclosures, coordinated response, and other forms of threat intelligence sharing are needed to help secure users’ computing experience, regardless of the platform or device in use,” wrote Microsoft’s Dimitrios Valsamaras in the blog post. “We will continue to work with the larger security community to share research and intelligence about threats in the effort to build better protection for all.”

Although the TikTok app is not known to have suffered any major hacks so far, some critics have branded it a security risk for other reasons.

Recently, concerns have been raised over the extent to which US users’ data can be accessed by China-based engineers at ByteDance, TikTok’s parent company. In July, Senate Intelligence Committee leaders called on FTC chair Lina Khan to investigate TikTok after reports brought into question claims that US users’ data was walled off from the Chinese branch of the company.

ByteDance Ltd. is a Chinese multinational internet technology company headquartered in Beijing and legally domiciled in the Cayman Islands.

Launched by Zhang Yiming, Liang Rubo, and a team of others in 2012, ByteDance created the video-sharing social networking assistance and apps TikTok and Chinese-specific counterpart Douyin. The company is also the creator of the news and information platform Toutiao. ByteDance hosts 1.9 Bn monthly active users across all its content platforms.

ByteDance encloses public attention over allegations that it operated with the Chinese Communist Party (CCP) to censor and surveil content about Xinjiang internment camps and other topics deemed controversial by the CCP.

In 2009, entrepreneur and software engineer Zhang Yiming teamed with his friend Liang Rubo to co-found 99fang.com, a real estate search engine. In early 2012, the pair leased an apartment in Zhongguancun and, along with several other 99fang employees, started developing an app that would use big data algorithms to classify news according to users’ preferences, which would later evolve Toutiao. That March, Yiming, and Liang founded ByteDance.

In March 2012, ByteDance established its first app, called Neihan Duanzi. It permitted users to circulate jokes, memes, and funny videos. At its zenith in 2017, Neihan Duanzi had around 200 million users.

In August 2012, ByteDance pitched the first version of the news and content platform Toutiao, which would evolve its core product. Toutiao hit 1 Mn daily active users four months after its launch.

In March 2016, ByteDance launched its research arm, the ByteDance AI Lab. It is captained by Wei-Ying Ma, the ex-assistant managing director of Microsoft Research Asia. The lab’s research has concentrated on AI for an in-depth understanding of information (text, images, videos) and developing machine learning algorithms for personalized notification recommendations. The ByteDance AI Lab and Peking University co-created Xiaomingbot, an AI bot that wrote news articles.

From late 2016 till 2017, ByteDance made several acquisitions and new product launches. In December 2016, it was supported by the Indonesian news recommendation platform BABE. Two months later, in February 2017, it earned Flipagram, which was later united with Musical.ly into TikTok upon the latter’s accession in November 2017. Other notable investments include the UGC short video platform Hypstar (Vigo Video) in July 2017 and the News Republic from Cheetah Mobile in November 2017.

ByteDance sued Chinese technology news website Huxiu for defamation in December 2018, after Huxiu informed that ByteDance’s Indian-language news app Helo was breeding misinformation.

In March 2021, ByteDance was part of a group of Chinese companies that aspired to deploy technology to circumvent Apple’s privacy policies. The subsequent month, ByteDance announced that it had formed a new division, BytePlus, to distribute the underlying forum of TikTok so that others may launch similar apps.