Microsoft disclosed a high-severity one-click vulnerability in the TikTok Android application, that allows hackers to hack into anyone's TikTok account with just a link.
Microsoft noted that the vulnerability has been fixed and it does not appear that anyone has been affected by the exploit. Attackers could have leveraged the vulnerability to hijack an account without users’ awareness if a targeted user simply clicked a specially crafted link.
Hackers need to require several issues to be chained together to exploit the bug. With the successful exploitation of the vulnerability, attackers gain access to the user profiles, allowing them to publicize private videos, send messages, and even upload videos on behalf of users.
Microsoft security researcher notified TikTok of the issues in February 2022, as part of its responsible disclosure policy through Coordinated Vulnerability Disclosure (CVD). TikTok quickly responded by releasing a fix to address the reported vulnerability which is now identified as CVE-2022-28799.
According to the Google play store, there are 1.5 billion TikTok users and all of them are affected by the vulnerability.
The vulnerability is actually a combination of several individual issues that when combined together could potentially give attackers access to these accounts. Microsoft shares everything they learned and how they discovered the exploit in detail on their blog.