TikTok Android apps are among the most popular on Google Play, with over 1.5 billion total downloads.
The flaw affected both regional versions of the TikTok app, according to researchers.
Attackers would have needed to connect several issues in order to exploit the vulnerability. The crucial component, however, is a custom-made malicious link.
According to the researchers, once the first step was completed, attackers could have gained access to a trove of personal data.
"Attackers could then have accessed and modified users' TikTok profiles and sensitive information, such as publicising private videos, sending messages, and uploading videos on users' behalf," Microsoft researchers wrote in a blog post.
"In short, a malicious actor could have compromised a TikTok user account by controlling any of the methods capable of performing authenticated HTTP requests," Microsoft researchers wrote.
Microsoft's investigation led to the discovery of over 70 exposed methods for loading JavaScript code into WebView.
Researchers reported the flaw to TikTok in February and claimed that the company worked with them to fix it. Microsoft stated that there is no evidence that the flaw was exploited in the wild.
Researchers discovered a TikTok flaw in September that gave them access to user phone numbers. The vulnerability, if exploited, would have allowed attackers to create a database of users and their associated phone numbers, which could then be used for malicious activity.
Liam -
-
Cyber Security Awareness
868 views -
0 Comments -
0 Likes -
0 Reviews
Loading ... 
