Reported that TikTok's Android application had a ``vulnerability that accounts can be hijacked with one tap''
A security research team at Microsoft 365 Defender has reported that it has discovered a high-severity vulnerability in the TikTok Android application. With this vulnerability, an attacker could compromise a victim's account and send unsolicited messages or upload videos with a single tap on a malicious URL. is.
Vulnerability in TikTok Android app could lead to one-click account hijacking - Microsoft Security Blog
Microsoft found TikTok Android flaw that let hackers hijack accounts
There are two types of TikTok Android apps: the package 'com.ss.android.ugc.trill' for East and Southeast Asia and the package 'com.zhiliaoapp.musically' for other countries. The security research team says that this vulnerability affects both types.
An exploit that exploits this vulnerability will allow an attacker to arbitrarily obtain a user's authentication token, or to obtain or change the user's TikTok account data.
Microsoft notified TikTok of this issue in February 2022, identified this vulnerability as CVE-2022-28799 , and released a corresponding fix. Therefore, the vulnerability in question has been fixed at the time of article creation. The security research team also states that there is no evidence that CVE-2022-28799 has been exploited.
In addition, the security research team calls on users to pay attention to the following four points to protect themselves from exploitation of these vulnerabilities.
Don't tap links from untrusted sources.
- Keep your device and installed apps up to date.
- Do not install apps from untrusted sources.
・Immediately report to the vendor if abnormal behavior of the app is confirmed, such as settings being changed without permission.