Microsoft researchers found a severe vulnerability in TikTok that threatened consumer accounts’ safety. Particularly, they discovered an account hijacking vulnerability within the TikTok Android app.
TikTok App Account Hijacking Vulnerability
As elaborated in a current weblog submit, Microsoft’s analysis staff analyzed the TikTok Android app and located an account hijacking vulnerability. The researchers defined that they examined the TikTok app “flavors” – com.ss.android.ugc.trill (for East and Southeast Asia) and com.zhiliaoapp.musically (for different areas) – and seen the vulnerability affecting each variations.
Particularly, exploiting the flaw entails Android WebView exploitation through malicious JavaScript to execute numerous instructions. An attacker may simply set off the vulnerability by sending a malicious hyperlink to the goal TikTok consumer. Then, if the recipient sufferer opens the hyperlink through TikTok, Android’s WebView would load the location. Consequently, the location may load the malicious JavaScript codes from its servers that will invoke the Java methodology.
The next publicity of Java strategies to the attacker permitted hijacking of the goal TikTok account through WebView.
In a real-world state of affairs, an attacker exploiting this vulnerability may retrieve the goal consumer’s authentication tokens, entry account data, modify account particulars, and even entry personal movies.
The researchers have shared the technical particulars and the proof of idea for this assault of their submit.
TikTok Patched The Flaw
Following this discovery, the researchers contacted the TikTok staff to report the matter. This safety difficulty has obtained the identification quantity CVE-2022-28799 and a severity rating of 8.3. Based on the bug description in a HackerOne report,
A WebView Hijacking vulnerability was discovered on the TikTok Android utility through an un-validated deeplink on an un-sanitized parameter. This might have resulted in account hijacking via a JavaScript interface.
TikTok have since patched the vulnerability and launched the repair with TikTok for Android model 23.7.3. TikTok launched quite a few subsequent updates to the app.