Security researchers revealed they uncovered a massive hole in TikTok’s security that affected every single user who has downloaded the app on Android devices worldwide. But if there is any lingering hint that any users were impacted by this “high severity” security exploit, then TikTok isn’t telling.
Microsoft 365 Defender researchers reported Wednesday on a serious vulnerability in the Android version of the TikTok app, one that could have allowed bad actors to potentially gain access to all aspects of a user’s account. The researchers said they revealed the exploit to TikTok back in February through its vulnerability reporting page.
A fix for the issue was included in an update released within a month’s time, although neither the company nor the researchers could say how long the exploit had been around.
TikTok did not answer Gizmodo’s questions about whether it knew if any users had been previously impacted by the exploit, although researchers found the exploit was present in both the East Asia version of the app, and the version of TikTok that the rest of the world uses, so essentially all 1.5 billion people who downloaded the extremely popular and lucrative app from the Google Play Store could have been susceptible.
Instead, in an email statement, a TikTok spokesperson reiterated points expressed in the Microsoft researchers’ blog post, adding: “Through our partnership with security researchers at Microsoft, we discovered and quickly fixed a vulnerability in some older versions of the Android app. We appreciate the Microsoft researchers for their efforts to help identify potential issues so we can resolve them.”
The company also pointed to its exploit bounty page it runs alongside HackerOne to try and stamp out exploits before they have the chance to hurt users. For their part, the researchers thanked the TikTok security team “for collaborating quickly and efficiently in resolving these issues.”
So how did this all work? Essentially, researchers found that TikTok had a vulnerability in the way it performed authenticated HTTP requests, specifically those that allowed for mobile deep link functionality which allows access to different parts of the app without actually going into the app itself. Have you ever accessed a Twitter post from an email or some other platform? That’s essentially a deep link.