TikTok bug could have let hackers take over your account — what you need to know

News
By published

Be careful about what links you click

How to delete TikTok
(Image credit: Shutterstock)

A vulnerability in the Android TikTok app meant hackers could have taken over your account. While this theoretically put millions of users at risk, it was only possible if you clicked on a malicious link.

Details about this newly-found one-click exploit have been revealed by Microsoft's 365 Defender Research Team. The team labeled the exploit a “high severity vulnerability” and informed TikTok of their findings. The social app promptly patched it, but it goes to show how easily users could have lost their accounts.

The basics of this exploit mean that after users clicked a specially crafted link, attackers would have access to all primary functions of the TikTok account in question. That includes uploading videos, sending messages and viewing videos privately stored on the account. 

Microsoft went into specifics, noting that the exploit worked with researchers finding ways to bypass TikTok’s deeplink verification. This forced the app to open a random URL, and allowed that URL to access WebView’s attached JavaScript bridges. 

From there researchers were able to retrieve authentication tokens for the account, letting them access it without a password. Fortunately, this exploit was a proof of concept attack, and there’s no evidence any hackers or other bad actors ever took advantage of it.

The security team notes that TikTok for Android is available in two variants: one for East and Southeast Asia, and another for all remaining countries. Both versions of the app were affected by this issue, and have a combined 1.5 billion downloads on Google Play. 

That shows you just how serious and widespread a problem this vulnerability actually was. Thankfully, TikTok was informed of the vulnerability back in February, and “quickly responded” by developing a fix. 

There’s no mention of iOS, or iPhones, in Microsoft’s blog post, suggesting those devices didn’t have the same vulnerability.

There are some things users can do to make sure this kind of attack never happens to them. The first is to ensure you have the latest version of the TikTok app installed. The other is to avoid clicking suspicious links, especially those from unknown sources. As this vulnerability shows, even something as simple as clicking a random link can have far-reaching consequences. 

Be sure to check out our guide on how to keep your social media accounts safe, and seven ways you can improve your online security for free. It's also worth investing in one of the best internet security suites and one of the best VPNs to add some extra layers to your online security, and should a ban in the US occur, a quality TikTok VPN may be of use as well.

See more Computing News
Tom Pritchard
Tom Pritchard
UK Phones Editor

Tom is the Tom's Guide's UK Phones Editor, tackling the latest smartphone news and vocally expressing his opinions about upcoming features or changes. It's long way from his days as editor of Gizmodo UK, when pretty much everything was on the table. He’s usually found trying to squeeze another giant Lego set onto the shelf, draining very large cups of coffee, or complaining about how terrible his Smart TV is.

Read more
How to delete TikTok
TikTok has rolled out a vital new security feature — here's how to use it
Facebook, Instagram, YouTube, Pinterest, X, LinkedIn, Reddit, TikTok, Threads apps on an iPhone
TikTok is under fire for harvesting data – but is it worse than any other social media platform?
TikTok displayed on a smart phone with a USA flag in the background
Should you use a VPN with TikTok?
Smartphone displaying TikTok logo on a bed of American flags
What's happening with the TikTok ban?
A person holding a phone with the TikTok logo crossed out displayed on the screen, with a blurry image of the tiktok homepage in the background
How to get around the US TikTok ban
TikTok VPN
Best TikTok VPN: evade bans and access anywhere
Latest in Online Security
A magnifying glass on top of the Steam logo in a web browser
Valve just pulled a malicious game demo spreading info-stealing malware from Steam
A man filing his taxes electronically on a laptop
AI-powered tax scams are here - how to stay safe from deepfakes, phishing and more this tax season
MacBook Pro 2023
New Mac attack is tricking users into thinking their computer is locked — how to stay safe
Hacker using a stolen social security card
Your Social Security number is a literal gold mine for scammers and identity thieves — here’s how to keep it safe
An open lock depicting a data breach
Half a million teachers hit in major data breach with SSNs, financial data and more exposed — what to do now
Green skull on smartphone screen.
Malicious Android apps with 60 million installs bombarding phones with ads and phishing attacks — how to stay safe
Latest in News
iPhone 16 Pro vs iPhone 16 Pro Max in hand showing displays
Forget iPhone 17 — iPhone 18 could get this huge upgrade
The new Husqvarna iQ series robot lawn mower.
Husqvarna’s new robot mowers offer GPS for less
Rendered images of rumored foldable iPhone.
Foldable iPhone report just revealed key details — here's what we know
NYTimes Connections
NYT Connections today hints and answers — Sunday, March 23 (#651)
NYT Strands on a cellphone
NYT Strands today — hints, spangram and answers for game #385 (Sunday, March 23 2025)
Nintendo Switch 2
Nintendo Switch 2 rumored specs — here’s what we know so far
More about online security
A man filing his taxes electronically on a laptop

AI-powered tax scams are here - how to stay safe from deepfakes, phishing and more this tax season
Hacker using a stolen social security card

Your Social Security number is a literal gold mine for scammers and identity thieves — here’s how to keep it safe
The new Husqvarna iQ series robot lawn mower.

Husqvarna’s new robot mowers offer GPS for less
See more latest