A vulnerability that was discovered in the Android version of TikTok let attackers take over an account after clicking on a malicious link – a vulnerability that could have potentially affected hundreds of millions of users.

The details of the exploit were posted in a blog released from researchers on Microsoft’s 365 Defender Research Team. The vulnerability was disclosed to TikTok, and has since been patched.

The bug and its resulting attack was labeled a “high severity vulnerability”. It could be used to hijack the account of any Android TikTok users without them even knowing, once they clicked on a specially crafted link. Once the link was clicked by the user, the attacker would gain access to all primary functions of the account, including the ability to upload and post videos, send messages to other users, and view private videos stored on the account.  

Although the potential impact could have been huge – as the Android version of TikTok has over 1.5 billion downloads in the Google Play store – no evidence was found that the vulnerability was exploited by attackers.

“Through our partnership with security researchers at Microsoft, we discovered and quickly fixed a vulnerability in some older versions of the Android app,” said TikTok spokesperson Maureen Shanahan. “We appreciate the Microsoft researchers for their efforts to help identify potential issues so we can resolve them.”

Microsoft confirmed in a statement that TikTok responsed promptly to the report. “We gave them information about the vulnerability and collaborated to help fix the issue” said Tanmay Ganacharya, Partner Director for Security Research at Microsoft Defender for Endpoint. “TikTok responded quickly, and we commend the efficient and professional resolution from the security team.”

In the blog post, it was noted that the vulnerability affected the deep link functionality of the Android app. This deep link handling tells the operating system to let certain apps process links in a specific way, such as opening the Twitter app to follow a user after clicking an HTML “Follow this account” button embedded in a webpage.

This link handling also includes a verification process that restricts the actions performed when an app loads a given link. Researchers found a way to bypass this verification process and execute potentially harmful functions of the app.

One of these functions lets them retrieve an authentication token tied to a user’s account, effectively granting them access without the need to enter a password. In a proof-of-concept attack, the researchers crafted a malicious link that when clicked, changed a user’s account bio to say “!! SECURITY BREACH !!!”

Fortunately, the vulnerability was detected. Microsoft used this as an opportunity to stress the importance of collaboration between technology platforms and vendors.

“As threats across platforms continue to grow in numbers and sophistication, vulnerability disclosures, coordinated response, and other forms of threat intelligence sharing are needed to help secure users’ computing experience, regardless of the platform or device in use,” Dimitrios Valsamaras from Microsoft wrote in a blog post. “We will continue to work with the larger security community to share research and intelligence about threats in the effort to build better protection for all.”

Story via The Verge