Researchers from Microsoft have found a TikTok Android vulnerability that enables a threat actor to take over an account with one click by deceiving targets into accessing a specially crafted link.
According to Microsoft’s security team, the threat actors could have exploited the flaw of hijacking an account without the user’s awareness if a target clicks the deployed malicious link.
Moreover, the threat actors could have accessed and altered the user’s profiles and sensitive information, such as sending messages, publicising private videos, uploading videos from the user’s account, and more.
The TikTok Android vulnerability utilises WebView.
Based on reports, the TikTok Android vulnerability is a link that exposes over 70 JavaScript methods that an attacker could exploit if it uses a bug designed to take over the TikTok application’s WebView. The WebView is an Android system component utilised by the flawed application to portray web content.
Hence, hackers could access or modify any TikTok owner’s classified information or perform authenticated HTTP requests using the exposed methods. Any attacker who successfully exploited this flaw could easily retrieve the user’s authentication tokens by activating a request to the server they control, logging the cookie, and requesting headers.
The threat actors could also modify or retrieve a user’s TikTok account data, such as private videos and profile settings, by activating a request to a TikTok endpoint and recovering the reply through a JavaScript callback.
The researchers explained that a WebView flaw was found on the TikTok application through an unauthenticated deeplink on an unsecured parameter. This detail could have resulted in account hijacking via the JavaScript interface.
Fortunately, the vulnerability tracked as CVE-2022-28799 is now repaired after the release of TikTok version 23.7.3. The fix was deployed less than 30 days after Microsoft detailed its discovery.
As of now, there is no evidence found that the mentioned CVE for the social media platform was abused.
TikTok users can mitigate the chances of getting attacked by a similar issue by just avoiding the links from unknown sources. Moreover, users should update their apps, install apps from trustworthy sources, and report any sketchy behaviour immediately.
