Microsoft discovered a TikTok vulnerability that allowed one-click account compromise

Getty Images

Microsoft said Wednesday that it recently identified a vulnerability in the TikTok Android app that could allow attackers to hijack accounts when users do nothing but click on an incorrect link. The software maker said it notified TikTok of the vulnerability in February and that the China-based social media company had fixed the flaw, which was tracked as CVE-2022-28799.

The vulnerability lies in how the app verifies what is known as a deep link, which is an Android-specific link to access individual components in a mobile app. Inner links must be declared in the app’s manifest for use outside the app so, for example, someone who clicks on a TikTok link in a browser has the content automatically opened in the TikTok app.

Applications can also declare the validity of a URL domain cryptographically. TikTok on Android, for example, declares the domain m.tiktok.com. Typically, the TikTok app will allow content from tiktok.com to be loaded into its WebView component but disallow WebView from loading content from other domains.

“The vulnerability allows in-app link verification to be bypassed,” the researchers wrote. “An attacker can force an application to load an arbitrary URL into the application’s WebView, allowing the URL to then access the WebView’s attached JavaScript bridge and provide functionality to the attacker.”

The researchers went on to create a proof-of-concept exploit that did just that. This involves sending a malicious link to a targeted TikTok user, which, when clicked, obtains the authentication token that TikTok’s servers require for the user to prove ownership of their account. The PoC link also changes the targeted user’s profile bio to display the text “!! SECURITY BREACH!!”

“After a malicious link specially generated by the attacker is clicked by the targeted TikTok user, the attacker’s server, https://www.attacker[.]com/poc, is given full access to the JavaScript bridge and can perform any open function,” the researchers wrote. “The attacker’s server returned an HTML page containing JavaScript code to send a video upload token back to the attacker as well as change the user’s profile bio.”

Microsoft says it has no evidence the vulnerability is being actively exploited in the wild.

By Blanca

Leave a Reply

Your email address will not be published. Required fields are marked *