Microsoft Discloses TikTok Android App Account Hijacking Vulnerability

The TikTok Android app harbored a critical flaw that criminals could have exploited to hijack user accounts, Microsoft researchers have discovered.

The vulnerability involved using a crafted URL to bypass the app’s deeplink verification mechanism and force the app’s WebView component to load an arbitrary URL.

This, in turn, could have allowed threat actors to perform a one-click account takeover by leveraging an attached JavaScript interface. The flaw, tracked as CVE-2022-28799, affects older versions of the TikTok app (23.7.3 and before).

Despite the vulnerability’s tremendous destructive potential, Microsoft has no evidence that criminals have actually used it to carry out any attacks.

“The vulnerability, which would have required several issues to be chained together to exploit, has been fixed and we did not locate any evidence of in-the-wild exploitation,” reads Microsoft’s security advisory. “Attackers could have leveraged the vulnerability to hijack an account without users’ awareness if a targeted user simply clicked a specially crafted link. Attackers could have then accessed and modified users’ TikTok profiles and sensitive information, such as by publicizing private videos, sending messages, and uploading videos on behalf of users.”

The company’s research team pointed out that more than 70 exposed methods could be summoned by injecting JavaScript code into WebView-loaded web pages. Threat actors could have leveraged the methods for various effects, such as modifying private user data and performing authenticated HTTP requests to arbitrary URLs.

Malicious actors could have used the disclosed deeplink verification bypass vulnerability in conjunction with an HTTP request authentication method to compromise TikTok accounts.

Experts determined that the vulnerability affected both TikTok versions: the East and Southeast Asia release (com.ss.android.ugc.trill) and the global one (com.zhilliaoap.musically). On Google’s Play Store alone, the apps have a combined 1.5 billion installations.

TikTok was informed of the flaw in February 2022, and quickly released a fix. Microsoft issued a brief list of recommendations to stay safe against this attack and similar ones:

• Avoiding installing apps from unknown sources
• Keeping the device and installed apps up to date
• Avoiding clicking links from untrusted sources
• Reporting any suspicious activity on the app to the vendor

Specialized solutions like Bitdefender Mobile Security can help you fend off new and existing security threats with features like:

• Malware scanner
• Web protection module that scans webpages and warns you of potentially dangerous content
• Link-based attack detection
• Security advisor
• Account privacy module that checks if your accounts have been compromised in data breaches
• Device scanner that automatically inspects newly installed apps