A high-severity flaw within the Android model of the TikTok app — which has been put in greater than 1.5 billion occasions thus far through the Google Play Retailer — may permit risk actors to hijack a consumer’s account with a single click on.
Microsoft found the high-severity vulnerability within the dealing with of one among TikTok for Android’s deeplinks, a specific kind of hyperlink in Android that hyperlinks to a selected element inside an app. To use it, cybercriminals may craft a malicious hyperlink that, if clicked, would permit full account entry.
Tracked as CVE-2022-28799, the flaw may permit attackers to change customers’ TikTok profiles and entry delicate data, “reminiscent of by publicizing personal movies, sending messages, and importing movies on behalf of customers,” based on a Microsoft Safety weblog put up revealed Wednesday.
In all, an exploit exposes 70 strategies for an attacker to change customers’ TikTok profiles and entry delicate data with out customers’ consciousness, he mentioned.
Below the Hood: Exploiting JavaScript
Whereas CVE-2022-28799 itself is present in a deeplink within the Android model of TikTok, exploiting the flaw will depend on the app’s implementation of JavaScript interfaces, which are offered by the app’s WebView element, Microsoft mentioned.
WebView permits purposes to load and show net pages and, utilizing the “addJavascriptInterface” API name, can also present bridge performance that permits JavaScript code within the net web page to invoke particular Java strategies of a specific class within the app.
The problem with WebView is that if somebody reminiscent of a risk actor hundreds untrusted net content material to WebView with application-level objects accessible through JavaScript code, the app is weak to JavaScript interface injection. This will likely result in knowledge leakage, knowledge corruption, or, in some circumstances, arbitrary code execution, Microsoft mentioned.
“TikTok for Android makes use of JavaScript interfaces extensively, enhancing the WebView capabilities which can be used inside the app,” based on the put up.
Microsoft researchers found what they name “a category of curiosity” that makes use of WebView in TikTok’s Android model that “registers a JavaScript bridge that has entry to each kind of performance applied by the lessons of a bridge,” which will be exploited because of the deeplink vulnerability, they mentioned.
“Attackers can use the vulnerability to redirect URLs to numerous parts of the appliance through a question parameter to set off the deeplink and name nonexported actions, increasing the assault floor of the appliance,” based on the put up.
Proof-of-Idea TikTok Assault
In a proof-of-concept (PoC) exploit, Microsoft researchers have been capable of drive the appliance to load an arbitrary URL (https://www.tiktok[.]com, on this case) to the appliance’s WebView, they mentioned.
“By crafting this URL with further question parameters, it was potential to inject an occasion of the JavaScript bridge that gives full entry to the performance applied by the affected bridge bundle,” based on the put up.
It added, “Briefly, by controlling any of the strategies capable of carry out authenticated HTTP requests, a malicious actor may have compromised a TikTok consumer account.”
Patch the TikTok App Now
Microsoft notified TikTok concerning the flaw, based on its accountable disclosure practices. TikTok responded by quickly issuing a repair to each variations of the Android app it provides — one for East Asia and Southeast Asia and the opposite for all remaining international locations — which each have been affected. Customers ought to replace their apps to the newest model to guard themselves.
The fast response is notable, given the myriad privateness and safety points which have plagued TikTok prior to now. Nonetheless, it has been cleansing up its act in recent times, beginning with its introduction of a bug-bounty program via HackerOne in 2020.
In February, the corporate’s international chief safety officer Roland Cloutier informed Darkish Studying that TikTok has dedicated to constructing a tradition of safety and transparency going ahead, given its entry to delicate knowledge and content material for billions of organizations and people.
