TikTok for Android Bug Allows Single-Click Account Hijack

  /     /     /  
Publicated : 23/11/2024   Category : security


TikTok for Android Bug Allows Single-Click Account Hijack


A security vulnerability (CVE-2022-28799) in one of TikTok for Androids deeplinks could affect billions of users, Microsoft warns.



A high-severity flaw in the Android version of the TikTok app — which has been installed more than 1.5 billion times so far via the Google Play Store — could allow threat actors to hijack a users account with a single click.
Microsoft discovered the high-severity vulnerability in the handling of one of TikTok for Androids deeplinks, a particular type of hyperlink in Android that links to a specific component within an app. To exploit it, cybercriminals could craft a malicious link that, if clicked, would allow full account access.
Tracked as
CVE-2022-28799
, the flaw could allow attackers to modify users TikTok profiles and access sensitive information, such as by publicizing private videos, sending messages, and uploading videos on behalf of users, according to a Microsoft Security
blog post
published Wednesday.
In all, an exploit exposes 70 methods for an attacker to modify users TikTok profiles and access sensitive information without users awareness, he said.
While CVE-2022-28799 itself is found in a deeplink in the Android version of TikTok, exploiting the flaw depends on the apps implementation of JavaScript interfaces, which are provided by the apps WebView component, Microsoft said.
WebView allows applications to load and display web pages and, using the addJavascriptInterface API call, also can provide bridge functionality that allows JavaScript code in the web page to invoke specific Java methods of a particular class in the app.
The issue with WebView is that if someone such as a threat actor loads untrusted web content to WebView with application-level objects accessible via JavaScript code, the app is vulnerable to JavaScript interface injection. This may lead to data leakage, data corruption, or, in some cases, arbitrary code execution, Microsoft said.
TikTok for Android uses JavaScript interfaces extensively, enhancing the WebView capabilities that are used within the app, according to the post.
Microsoft researchers discovered what they call a class of interest that makes use of WebView in TikToks Android version that registers a JavaScript bridge that has access to every type of functionality implemented by the classes of a bridge, which can be exploited due to the deeplink vulnerability, they said.
Attackers can use the vulnerability to redirect URLs to various components of the application via a query parameter to trigger the deeplink and call nonexported activities, expanding the attack surface of the application, according to the post.
In a proof-of-concept (PoC) exploit, Microsoft researchers were able to force the application to load an arbitrary URL (https://www.tiktok[.]com, in this case) to the applications WebView, they said.
By crafting this URL with additional query parameters, it was possible to inject an instance of the JavaScript bridge that provides full access to the functionality implemented by the affected bridge package, according to the post.
It added, In short, by controlling any of the methods able to perform authenticated HTTP requests, a malicious actor could have compromised a TikTok user account.
Microsoft notified TikTok about the flaw, according to its responsible disclosure practices. TikTok responded by rapidly issuing a fix to both versions of the Android app it offers — one for East Asia and Southeast Asia and the other for all remaining countries — which both were affected. Users should update their apps to the latest version to protect themselves.
The quick response is notable, given the myriad
privacy and security issues
that have
plagued TikTok
in the past. However, it has been cleaning up its act in recent years, starting with its introduction of
a bug-bounty program
through HackerOne in 2020.
In February, the companys global chief security officer Roland Cloutier
told Dark Reading
that TikTok has committed to building a culture of security and transparency going forward, given its access to sensitive data and content for billions of organizations and individuals.

Last News

▸ Car Sector Speeds Up In Security. ◂
Discovered: 23/12/2024
Category: security

▸ Making use of a homemade Android army ◂
Discovered: 23/12/2024
Category: security

▸ CryptoWall is more widespread but less lucrative than CryptoLocker. ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
TikTok for Android Bug Allows Single-Click Account Hijack