Microsoft’s security team has found a vulnerability in the TikTok Android app.

The 365 Defender Research Team on Wednesday explained in a post how the one-click exploit could have allowed hackers to hijack millions of accounts.

“The vulnerability, which would have required several issues to be chained together to exploit, has been fixed and we did not locate any evidence of in-the-wild exploitation,” the company wrote in a blog post. “Attackers could have leveraged the vulnerability to hijack an account without users’ awareness if a targeted user simply clicked a specially crafted link.”

Attackers could have accessed and modified users’ TikTok profiles and sensitive information, such as by publicizing private videos, sending messages, and uploading videos on behalf of users, the company said.

Microsoft’s security team explains in the post that the vulnerability involved an oversight with TikTok’s deep-linking function.

The vulnerability allowed hackers to bypass the app’s deep-link verification function. Attackers could force the app to load an arbitrary URL to the app’s WebView, allowing the URL to then access the WebView’s attached JavaScript bridges and grant functionality to attackers.

Most marketers know, but for those who don’t, a deeplink is a hyperlink that links to a specific component in a mobile app and consists of a scheme and, usually, a host, Microsoft explains. When a deeplink is clicked, the Android package manager queries all the installed applications to see which one can handle the deeplink and then routes it to the handler of that link. (More explained here.)

“Performing a vulnerability assessment of TikTok, we determined that the issues were affecting both flavors of the app for Android, which have over 1.5 billion installations combined via the Google Play Store,” Microsoft said. 

Microsoft’s team informed TikTok in February. TikTok quickly responded by releasing a fix to address the reported vulnerability.

Microsoft’s security team found a vulnerability in the TikTok Android app — a one-click exploit that could have allowed hackers to hijack millions of accounts, the 365 Defender Research Team on Wednesday explained in a post.