Microsoft discovers serious ‘One-Click’ exploit for TikTok Android app


Microsoft on Wednesday unveiled details of a now-patched “high-severity vulnerability” in the TikTok app for Android that could allow attackers to take control of accounts when victims click on a malicious link.

“Attackers could have exploited the vulnerability to hijack an account without users’ knowledge if a targeted user simply clicked on a specially crafted link,” Dimitrios Valsamaras of the Microsoft 365 Defender research team said in a post.

Successful exploitation of the flaw could have allowed malicious actors to access and modify TikTok profiles and sensitive user information, leading to unauthorized exposure of private videos. Attackers may also have abused the bug to send messages and upload videos on behalf of users.

cyber security

The issue, fixed in version 23.7.3, affects two variants of its Android app (for East and Southeast Asian users) and com.zhiliaoapp.musically (for users in other countries, except India, where it is prohibited). Combined, the apps have over 1.5 billion installs between them.

TikTok Android app

Tracked as CVE-2022-28799 (CVSS score: 8.8), the vulnerability is related to the application’s handling of a so-called deep link, a special hyperlink that allows applications to open a resource specific in another application installed on the device rather than directing users to a website.

“A specially crafted URL (unvalidated deep link) may force the WebView com.zhiliaoapp.musically to load an arbitrary website,” according to a notice on the flaw. “This may allow an attacker to exploit an attached JavaScript interface for one-click takeover.”

TikTok Android app

Simply put, the flaw allows bypassing app restrictions to reject untrusted hosts and load any website of the attacker’s choice via Android System WebView, a mechanism for displaying web content on apps. other apps.

cyber security

“Filtering takes place on the server side and the decision to load or reject a URL is based on the response received from a particular HTTP GET request,” Valsamaras explained, adding that static analysis “indicates that it is possible to Bypass the server-side check by adding two additional parameters to the deep link.”

One consequence of this exploit designed to hijack WebView to load rogue websites is that it could allow the adversary to invoke over 70 exposed TikTok endpoints, compromising the integrity of a user’s profile. There is no evidence that the bug was weaponized in the wild.

“From a programming perspective, using JavaScript interfaces poses significant risks,” Microsoft noted. “A compromised JavaScript interface can potentially allow attackers to execute code using the application’s ID and privileges.”


About Author

Comments are closed.