A TikTok hack that allows for account takeovers with just one click on a malicious link has been discovered by security researchers with Microsoft, and at least one hacker has already popped up on the dark web claiming to have stolen the data of over a billion users.
At this point, it looks as if the stolen data may be a hoax. However, the vulnerability was real and adds to an ongoing chain of questions about how safe the app is, particularly for its many underage users that may not be aware of best security practices.
Reports of account takeover flaw lead to claims of stolen data
The public did not become aware of the TikTok hack until it was disclosed by threat researchers with Microsoft, who had privately reported it to TikTok some months ago. The account takeover flaw was patched in version 23.7.3 of the app, which was released in March. All versions of the app since do not have the vulnerability, and it also only impacted the Android version; the attack method apparently does not work in iOS or the web browser version.
Though they did not specify using this particular TikTok hack, a dark web forum user popped up offering scads of stolen data shortly after this announcement (despite both Microsoft and TikTok issuing statements indicating that they have not detected any breaches related to the account takeover method). The supposed thief claims to have 34GB of pilfered user profile data for sale, or the records of about 1.37 billion TikTok users (or just about all of its estimated total of Android app users worldwide).
Security researchers are skeptical. A sample of 237MB of data posted to the “Breach Forums” website has not stood up to scrutiny particularly well, containing a good deal of publicly available information and junk data. The information also has attributes indicating it came from a particular third party marketing firm based in China rather than a direct TikTok hack.
TikTok has not acknowledged these claims as legitimate and is not advising its users to take any special actions regarding the account takeover flaw (other than ensuring that the app has been updated since March).
Given a score of 8.8 by NIST, the TikTok hack is considered a high severity issue due to the relative ease of remote account takeover. Older, unpatched versions of the Android app remain vulnerable.
The attack abuses a flaw in the app’s WebView bridge, which allows it to display content from other apps within TikTok. With a specifically formatted URL, the attacker can steal the victim’s authentication token and have immediate access to the entirety of their account. This flaw is used for individual account takeover rather than being some sort of wide-ranging access to TikTok’s internal network, however, lending more credence to the idea that the alleged breach is a case of a scammer trying to repackage old data.