Microsoft Identifies TikTok Bug that could Reveal Private Videos of Millions

The Microsoft 365 Defender Research Team identified a vulnerability in the TikTok app for Android that allows hackers to take control of millions of users’ private, short-form videos after they clicked on a malicious link.

Microsoft identified a critical flaw in the TikTok Android app that could have allowed attackers to compromise users’ accounts with a single click. The Chinese corporation has already patched the vulnerability, which would have required many vulnerabilities to be chained together to exploit.

“Attackers could have leveraged the vulnerability to hijack an account without users’ awareness if a targeted user simply clicked a specially crafted link,” Microsoft said in a statement.

Attackers could have then accessed and modified users’ TikTok profiles and sensitive information, such as by publicizing private videos, sending messages, and uploading videos on behalf of users.

TikTok’s Android app is available in two versions: one for East and Southeast Asia and another for the rest of the world.

During a TikTok vulnerability review, the Microsoft team discovered that the issues affected both Android versions of the app, which had over 1.5 billion installations combined via the Google Play Store.

A Microsoft security researcher notified TikTok of the issues after thoroughly examining the implications.

Microsoft said in a statement that TikTok promptly responded by providing a patch to address the disclosed vulnerability, which is now known as CVE-2022-28799, and users can find additional information at the CVE entry. TikTok users are advised to utilize the most recent version of the app.