Microsoft turned up a critical bug in TikTok client

Android versions of the popular TikTok app, which recorded more than 1.5 billion downloads from the Play store, have a high-severity vulnerability allowing single-click account takeover.

TikTok has advised users to update their app to Version 23.7.3 or above.

The bug is described with utmost brevity in its Common Vulnerabilities and Exposures entry.

“The TikTok application before 23.7.3 for Android allows account takeover. A crafted URL (unvalidated deeplink) can force the com.zhiliaoapp.musically WebView to load an arbitrary website. This may allow an attacker to leverage an attached JavaScript interface for the takeover with one click.”

In a blog post describing its discovery, Microsoft offered more detail.

“The vulnerability allowed the app’s deeplink verification to be bypassed," Microsoft wrote.

"Attackers could force the app to load an arbitrary URL to the app’s WebView, allowing the URL to then access the WebView’s attached JavaScript bridges and grant functionality to attackers.”

The post explained that JavaScript interfaces are provided by the WebView component, which “allows applications to load and display web pages and, using the addJavascriptInterface API call, can also provide bridge functionality that allows JavaScript code in the web page to invoke specific Java methods of a particular class in the app.”

The account takeover bug was found in how the TikTok app handled a particular deeplink – a kind of hyperlink that links to a specific component within the mobile app. 

By abusing the way WebView and JavaScript interact with the apps’ deeplinks, Microsoft found an attacker could perform actions like retrieving the user’s authentication tokens; or retrieve or modify account data.

“In short, by controlling any of the methods able to perform authenticated HTTP requests, a malicious actor could have compromised a TikTok user account," the researchers said.