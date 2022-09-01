Microsoft’s 365 Defender Research Team discovered a vulnerability in TikTok’s Android app that could have let attackers take over accounts that clicked on a malicious link.

The high-severity security flaw has now been patched after Microsoft disclosed it to TikTok. Microsoft noted that it did not locate any evidence of in-the-wild exploitation.

The vulnerability made it possible to bypass the app’s deep link verification, force it to load an arbitrary URL to its WebView, and access the WebView’s linked JavaScript bridges, granting functionality to attackers.

Attackers could have used the vulnerability to take over users’ accounts without their knowledge, providing access to all the account’s primary functions.

This means that threat actors would have been able to upload and post videos, message other users, and view and publicise private videos stored on the account.

The possible impact of the vulnerability, if leveraged, was massive as it impacted all variants of TikTok’s Android app, which has over one billion downloads on the Google Play Store.

“However, there’s no evidence it was exploited by bad actors,” The Verge quoted TikTok spokesperson Maureen Shanahan as saying.

“Researchers involved with the discovery and disclosure praised TikTok for a quick response.”