Microsoft announced on Wednesday that it has recently discovered a flaw in TikTok’s Android app that may allow attackers to take control of users’ accounts with the simple click of a single malicious link.
Microsoft conducted a vulnerability evaluation of TikTok and found that the problems were present in both Android versions of the app, which had amassed over 1.5 billion downloads through the Google Play Store. As part of our responsible disclosure policy, a Microsoft security researcher informed TikTok of the flaws in February 2022 via Coordinated Vulnerability Disclosure (CVD) via Microsoft Security Vulnerability Research (MSVR).
Users can consult the CVE entry for additional details. TikTok swiftly replied by providing a fix to address the reported vulnerability, which is now known as CVE-2022-28799. The software developer claimed that TikTok was informed of the bug in February and that the Chinese social media platform had since patched it.
The flaw lay in the app’s verification of so-called deeplinks, which are hyperlinks used exclusively by Android devices to access particular parts of mobile apps. For example, when someone clicks on a TikTok link in a browser, the content is automatically launched in the TikTok app. Deeplinks must be defined in an app’s manifest for use outside of the app.
A URL domain’s validity can also be cryptographically verified by an app. For instance, TikTok for Android declares the domain m.tiktok.com. Typically, the TikTok app will permit WebView to load material from tiktok.com but prevent WebView from loading content from other sites.
“The vulnerability allowed the app’s deeplink verification to be bypassed. Attackers could force the app to load an arbitrary URL to the app’s WebView, allowing the URL to then access the WebView’s attached JavaScript bridges and grant functionality to attackers.”
Researchers
The researchers then produced a proof-of-concept exploit that carried out that exact action. It entailed delivering a malicious link to a specific TikTok user, who when clicked on it, downloaded the authentication tokens needed by TikTok servers for users to verify their account ownership. Additionally, the PoC link modified the targeted user’s bio to read “!! SECURITY BREACH!!”
The attacker’s server, https://www.attacker[.]com/poc, is given full access to the JavaScript bridge and can activate any accessible functionality once the targeted TikTok user clicks the attacker’s specially designed malicious link, according to the researchers.
The server of the attacker sends back an HTML page with JavaScript code that modifies the user’s profile biography and sends video upload tokens back to the attacker. Microsoft claimed it had no proof that the flaw had been actively used in the wild.
Leave a Reply