1.5 billion downloads worldwide and a serious flaw: cybersecurity specialists have discovered a way to take control of a TikTok account, but the bug has since been fixed.
TikTok is a video clip sharing social network that has quickly established itself as a leader in this field, available as a mobile application, you can take it with you anywhere.
Release date :
Operating system :
Android, Online service All Internet browsers, Windows 10/11, iOS iPhone / iPad
A major flaw has been discovered in the TikTok app. In a blog post published by Microsoft cybersecurity specialists, it is detailed how, through a simple link, it is possible to take full control of a TikTok account. Or rather, how it was possible to take control, because the bug has thankfully been fixed.
The vulnerability, known by the poetic name of CVE-2022-28799, allowed to post or delete videos, send messages, even change account settings. In short, a nightmare for TikTok addicts. Note that only the Android version was affected. Microsoft nevertheless specifies “not to be aware of any exploitation of the flaw” by malicious hackers. Microsoft specialists also specify that TikTok has solved the problem “efficiently and professionally” after knowing about it.
the deep linking at the heart of the problem
This flaw used an Android tool, called deep linking (deeplink in English). This feature allows you to automatically open an application on certain content when you click on a link. If you click on an Instagram or Twitter link from a webpage and your app launches to show you that content, it’s using this deep linking feature. Alas, the implementation of this tool on TikTok left something to be desired, allowing anyone with fairly solid computer knowledge to open a web page containing malicious code. From there, it became possible to steal authentication tokens, and thus allow access to the targeted account.
To illustrate this case, Microsoft took the liberty of creating a deep link that modifies the presentation bio of an account with the anxiety-provoking message: “!! SECURITY BREACH!!” The flaw was present in both versions of the application (one for the Asian market and the other for the rest of the world), which together have accumulated 1.5 billion downloads. Suffice to say that the problem could have been very annoying if it had not been discovered and corrected quickly.
To avoid unpleasant surprises, the team that discovered the flaw gives some advice: do not click on links from unknown sources, always keep your apps up to date, never install an application from an unknown source, tell the development teams any unexpected behavior, such as changes in account settings.