The TikTok Android app harbored a critical flaw that criminals could have exploited to hijack user accounts, Microsoft researchers have discovered.
The vulnerability involved using a crafted URL to bypass the app’s deeplink verification mechanism and force the app’s WebView component to load an arbitrary URL.
This, in turn, could have allowed threat actors to perform a one-click account takeover by leveraging an attached JavaScript interface. The flaw, tracked as CVE-2022-28799, affects older versions of the TikTok app (23.7.3 and before).
Despite the vulnerability’s tremendous destructive potential, Microsoft has no evidence that criminals have actually used it to carry out any attacks.
“The vulnerability, which would have required several issues to be chained together to exploit, has been fixed and we did not locate any evidence of in-the-wild exploitation,” reads Microsoft’s security advisory. “Attackers could have leveraged the vulnerability to hijack an account without users’ awareness if a targeted user simply clicked a specially crafted link. Attackers could have then accessed and modified users’ TikTok profiles and sensitive information, such as by publicizing private videos, sending messages, and uploading videos on behalf of users.”
The company’s research team pointed out that more than 70 exposed methods could be summoned by injecting JavaScript code into WebView-loaded web pages. Threat actors could have leveraged the methods for various effects, such as modifying private user data and performing authenticated HTTP requests to arbitrary URLs.
Malicious actors could have used the disclosed deeplink verification bypass vulnerability in conjunction with an HTTP request authentication method to compromise TikTok accounts.
Experts determined that the vulnerability affected both TikTok versions: the East and Southeast Asia release (com.ss.android.ugc.trill) and the global one (com.zhilliaoap.musically). On Google’s Play Store alone, the apps have a combined 1.5 billion installations.
TikTok was informed of the flaw in February 2022, and quickly released a fix. Microsoft issued a brief list of recommendations to stay safe against this attack and similar ones:
Specialized solutions like Bitdefender Mobile Security can help you fend off new and existing security threats with features like:
tags
Vlad's love for technology and writing created rich soil for his interest in cybersecurity to sprout into a full-on passion. Before becoming a Security Analyst, he covered tech and security topics.
View all postsSeptember 06, 2024
September 02, 2024
August 13, 2024