‘One-click’ TikTok hack discovered puts 2 billion app users at risk, but no reports yet of account takeover in the wild

A severe “one-click” TikTok hack that Microsoft discovered and reported to the social media giant would have been fixed without incident, but a hacker appeared on an underground forum to claim he had stolen data to sell. The attack affects the service’s Android app version and enables account takeover when a victim clicks on a malicious URL.

If the hacker’s story is to be believed, the information of two billion profiles could have been stolen. However, the evidence is thin at this point. Microsoft says there’s no evidence the TikTok hack was ever used in the wild, and TikTok says it found no evidence of a breach.

TikTok hack puts billions of accounts at risk, but evidence of public exposure remains thin

Microsoft’s 365 Defender Research team discovered the account takeover vulnerability and reported it to TikTok in February this year, but only recently disclosed it to the public. TikTok said it fixed the issue immediately upon becoming aware of it. The vulnerability is present in versions of the Android app earlier than 23.7.3, and TikTok users with automatic updates enabled (or those who downloaded the app since March 2022) should already be protected. It was also present in all global versions of the app, including those specially designed for certain countries in Asia.

The vulnerability was considered “high severity” at the time and has since received a score of 8.8 from the National Institute of Standards and Technology (NIST). The TikTok hack allowed the attacker to load an arbitrary URL into the app’s WebView, which in turn allowed access to WebView’s JavaScript bridges paving the way for a full account takeover by capturing the user authentication token. If a user clicked on the malicious link, the attacker could take full control of their profile to include downloading videos and messaging other users.

After Account Takeover Bug Reported, Hacker Claims Exposed Data of Over 1 Billion Users and Offers It for Sale

Initially, it appeared to be a simple case of a serious vulnerability discovered internally, patched and then acknowledged when safe months after the fact. Then, a threat actor appeared on an underground forum claiming he had exploited a TikTok hack that allowed him to steal 34GB of user data.

It’s not entirely clear if the attacker claims to use the account takeover vulnerability to steal the data, but he claimed to have around 1.37 billion user records for sale (almost the total number of estimated Android app users) and appeared with the offering not long after the vulnerability was publicly disclosed.

The offer appeared on the underground “Breach Forums” message board, posted by a user calling himself “AgainstTheWest”. They have indicated that they are considering either selling the data or simply selling it to the public.

Security researchers aren’t convinced this stemmed from a legitimate TikTok hack or account takeovers were involved, however, at least on the face of it, the available evidence. Have I Been Pwned owner Troy Hunt, a professional security researcher, analyzed the 237MB data sample provided by the threat actor and did not see clear evidence linking him to a new breach . He said some of the data included was already publicly available, and other parts were junk or test data.

Davey Winder, security researcher and senior cybersecurity contributor for Forbes, recently made a deeper dive in the alleged TikTok hack and echoed the results of the Have I Been Pwned analysis. Winder added that the data included in the sample appeared to come from a third-party marketing company that works with TikTok, which has since been backed up by statements from TikTok themselves. Bob Diachenko, another prominent cybersecurity analyst, added that he believed the data came from a marketing firm based in the city of Hangzhou, China. It is unclear exactly how much user information this company had access to.

A severe one-click TikTok hack that Microsoft discovered was reportedly patched without incident, but a #hacker has appeared on an underground forum to claim he has 1 billion stolen user records for sale. #cybersecurity #respectdataClick to tweet

Although there are no signs of a successful account takeover yet and TikTok does not recommend any special security measures at this time, users may want to enable two-factor authentication (2FA) on their accounts by caution. TikTok is emerging from a potentially more concerning incident over the summer, in which it was revealed that engineers in China had widespread access to overseas user accounts despite the company’s promises that it would no longer happen. TikTok also experienced a third-party data leak in 2020, although this included profiles from other services such as Instagram and YouTube and potentially didn’t impact its user base as much.

Jennifer C. Burleigh