Microsoft announced on Wednesday that it has recently discovered a flaw in TikTok’s Android app that may allow attackers to take control of users’ accounts with the simple click of a single malicious link.
Microsoft conducted a vulnerability evaluation of TikTok and found that the problems were present in both Android versions of the app, which had amassed over 1.5 billion downloads through the Google Play Store. As part of our responsible disclosure policy, a Microsoft security researcher informed TikTok of the flaws in February 2022 via Coordinated Vulnerability Disclosure (CVD) via Microsoft Security Vulnerability Research (MSVR).
Users can consult the CVE entry for additional details. TikTok swiftly replied by providing a fix to address the reported vulnerability, which is now known as CVE-2022-28799. The software developer claimed that TikTok was informed of the bug in February and that the Chinese social media platform had since patched it.
The flaw lay in the app’s verification of so-called deeplinks, which are hyperlinks used exclusively by Android devices to access particular parts of mobile apps. For example, when someone clicks on a TikTok link in a browser, the content is automatically launched in the TikTok app. Deeplinks must be defined in an app’s manifest for use outside of the app.
A URL domain’s validity can also be cryptographically verified by an app. For instance, TikTok for Android declares the domain m.tiktok.com. Typically, the TikTok app will permit WebView to load material from tiktok.com but prevent WebView from loading content from other sites.
The researchers then produced a proof-of-concept exploit that carried out that exact action. It entailed delivering a malicious link to a specific TikTok user, who when clicked on it, downloaded the authentication tokens needed by TikTok servers for users to verify their account ownership. Additionally, the PoC link modified the targeted user’s bio to read “!! SECURITY BREACH!!”