TikTok for Android contained vulnerability that allowed account takeover

The TikTok app contained a vulnerability that made it possible to take over an account from a stranger. Microsoft researchers found the vulnerability and TikTok has since patched it.

TikTok vulnerability, September 2022

The vulnerability is CVE-2022-28799 and works by letting users click on a link in the app. That leads to a WebView in the app itself and if an attacker led the link to a website with pre-set Javascript code, it was possible to take over the account from the WebView.

This made it possible not only to use personal data, but also to post videos on behalf of that user, writes Microsoft. The vulnerability is in all versions of TikTok up to 23.7.3, the CVE’s listing states.

The vulnerability is in both versions of the app. Parent company Bytedance has a TikTok for Southeast Asia and a separate version for the rest of the world. Combined, both versions are on the Play Store on more than one and a half billion installs. TikTok responded quickly and patched the vulnerability in February. To our knowledge, no exploits of the vulnerability have been seen in the wild.