TikTok fixed a critical security flaw in its Android app that allowed users to steal their accounts after simply clicking a malicious link. The breach was discovered in February by Microsoft and could give criminals full control of a profile, allowing them to view and publish private videos, post content and send messages to contacts and other users.
Published in detail just now, the opening has been fixed since March of this year, with an update being published by TikTok less than a month after Microsoft’s notification of the issue. CVE-2022-28799, as tracked, has been resolved since version 23.7..3 of the social network application, with the recommendation to update for all users on the Android operating system.
TikTok loophole not exploited by criminals, says company
Fortunately, according to the company, there are no indications of exploitation of the breach by criminals, but everything could change now that the details of the exploit are available to the public. That’s why the urgent update recommendation is reinforced for all users of the Android version of Tiktok; the problem does not affect the iOS app or web versions of the social network.
In addition, as a general safety measure, users should exercise caution when clicking on links posted on the social network, whether in comments or video descriptions, as well as those sent by direct message, especially if they come from unknown people. Installations and downloads should always be done from official sources, in order to avoid manipulation of applications and reduce the risk of virus contamination.
This is the second critical failure of its kind resolved by TikTok in recent years. In January 2021, the social network also reported the correction of a vulnerability in its friend search system that could allow unauthorized access to users’ personal information, even circumventing protection mechanisms of the service itself.
Source: Microsoft, HackerOne