On Wednesday, Microsoft released information about a “high severity vulnerability” in the TikTok app for Android that has since been fixed and could allow attackers to take control of accounts if users clicked on a malicious link.
In a report, Dimitrios Valsamaras of the Microsoft 365 Defender Research Team stated that attackers “may have utilized the vulnerability to hijack an account without users’ awareness if a targeted user just clicked a carefully crafted link.”
If the vulnerability had been exploited successfully, bad actors might have had access to and control over users’ TikTok profiles and private data, resulting in the unintentional release of private films. Attackers might have taken advantage of the bug to post videos and send messages on behalf of people.
Version 23.7.3 of the Android app fixes the problem. It affects two versions: com.ss.android.UGC.trill for users in East and Southeast Asia and com.zhiliaoapp.musically for users outside of India, where it’s prohibited. The apps have been installed more than 1.5 billion times together.
The vulnerability, identified as CVE-2022-28799 (CVSS score: 8.8), relates to how the app handles so-called deep links, which are unique hyperlinks that let apps open a particular resource within another app that is installed on the user’s device rather than referring consumers to a website.
An advisory for the vulnerability states that “a crafted URL (unvalidated deep link) can compel the com. zhiliaoapp.musically WebView to load an arbitrary website.” This might make it possible for a hacker to quickly take over a JavaScript interface that is attached.
By me @Forbes: Microsoft's 365 Defender Research Team reveals how it found a 1-click TikTok app account takeover vuln.#infosec #tiktok #account #hack #thursdaymorning #TechNews https://t.co/cDsEbL3qxw
— Davey Winder (@happygeek) September 1, 2022
Simply put, the issue allows an attacker to bypass limits placed on the apps’ ability to reject untrusted hosts and load any website of their choosing using the Android System WebView, a tool used to show online information on other apps.
The static analysis “indicated that it is possible to bypass the server-side check by adding two additional parameters to the deep link,” Valsamaras said, adding that the server-side filtering “takes place and the decision to load or reject a URL is based on the reply received from a particular HTTP GET request.”
The adversary may be able to access over 70 vulnerable TikTok endpoints as a result of this vulnerability, which was created to hijack WebView and load malicious webpages. This would compromise the integrity of a user’s profile. There is no proof that the bug has been used as a weapon in nature.
Microsoft stated that employing JavaScript APIs “poses substantial dangers from a programming standpoint.” The ID and privileges of the application may be used by attackers to execute code through a hacked JavaScript interface.
Interested in the article? To read more of the exclusive information we publish, follow THN on Facebook, Twitter, and LinkedIn.
https://www.youtube.com/watch?v=TeedgNxk93Y