Microsoft disclosed a verification bypass vulnerability in TikTok's Android application, raising concerns about the security and functionality of the popular social media app.
In a blog post Wednesday, Microsoft detailed the TikTok vulnerability, tracked as CVE-2022-28799, which could enable threat actors to hijack accounts and publicize private videos, send messages and upload videos under the users' accounts. While TikTok fixed the flaw and Microsoft confirmed it did not observe in-the-wild exploitation, the vulnerability heightened concerns over access to private data as well as the in-app browser functionality.
Microsoft said the TikTok vulnerability affected both versions of the Android app -- the company has one version for East and Southeast Asia, and one for all other countries -- which have more than 1 billion downloads through the Google Play store.
In an email to TechTarget Editorial, TikTok said it had "discovered and quickly fixed a vulnerability in some older versions of the Android application."
The TikTok vulnerability was found in the way the Android app handles deep links, which Microsoft described as "a special hyperlink that links to a specific component within a mobile app and consists of a scheme and (usually) a host part."
However, the flaw allowed the app's deep link verification to be bypassed, according to Microsoft, which enabled researchers to sneak a malicious link into WebView, an Android component that runs TikTok's in-app browser.
TikTok keylogging concerns
In-app browsers were the focus of another report last month by security researcher Felix Krause, who created a tool to verify what apps do in WebView. The report, which highlighted the risks of mobile apps using in-app browsers, examined around 25 of the most popular iOS apps and concluded that TikTok uses a technique equivalent to keylogging in its in-app browser.
"TikTok iOS subscribes to every keystroke (text inputs) happening on third party websites rendered inside the TikTok app," Krause wrote in the report. "This can include passwords, credit card information and other sensitive user data."
In a statement to TechTarget Editorial, TikTok said the report's conclusions are incorrect and misleading.
However, infosec experts agree that there is a lack of legitimate reasons for TikTok to use the keylogging functionality for troubleshooting. For one, Chester Wisniewski, principal research scientist at Sophos, said troubleshooting is usually provided by the operating system and not the app. For example, Apple would be responsible for any iPhone problems and Google for Android because they use Safari and Chrome, respectively.
"Other than invading my privacy, I can't think of why you'd ever keystroke me. Even for troubleshooting," he said.
Nick DeLena, partner at consulting firm DGC who specializes in cybersecurity and privacy advisory, agreed that keylogging is generally seen as an invasion of privacy -- and when an app or service is found to be using it, they're usually pressured into an alternate means of troubleshooting. DeLena added that the risk with TikTok's app is "particularly acute" because TikTok parent company ByteDance is partially owned by the Chinese government.
When it comes to free apps such as TikTok, John Bambenek, principal threat hunter at Netenrich, said the entire ecosystem is designed to vacuum up any data it can about its users.
"I generally operate under the assumption that if I'm not paying for something, it's probably engaging in as many questionable privacy practices as possible to get as much information as it can from me," he said in an email to TechTarget Editorial.
Whether TikTok is using the functionality solely for troubleshooting purposes or not, it can still pose security risks for enterprises. For example, Tim Mackey, principal security strategist at Synopsys, explained that if the app is being used in a work environment, there is every potential that some sensitive information from the business could be included in the keylogging data packet.
Though many organizations don't allow certain applications or services to be downloaded on work devices, it can be harder to control with the expanding remote workforce. The move has contributed to a thinner divide between work and personal lives.
Wisniewski emphasized that people are using their own phones or tablets now, and might be unaware of certain threats.
"It only takes a minute to be confused about whether you're currently in the company web browser, or you might be in the in-app TikTok browser by accident and start doing company stuff, and that's a huge risk to data leakage," he said.