Microsoft finds TikTok vulnerability that allowed one-click account compromises

Getty Images

Microsoft mentioned on Wednesday that it not too long ago recognized a vulnerability in TikTok’s Android app that may enable attackers to hijack accounts when customers did nothing greater than click on on a single errant hyperlink. The software program maker mentioned it notified TikTok of the vulnerability in February and that the China-based social media firm has since fastened the flaw, which is tracked as CVE-2022-28799.

The vulnerability resided in how the app verified what’s generally known as deeplinks, that are Android-specific hyperlinks for accessing particular person elements inside a cellular app. Deeplinks have to be declared in an app’s manifest to be used exterior of the app so, for instance, somebody who clicks on a TikTok hyperlink in a browser has the content material routinely opened within the TikTok app.

An app also can cryptographically declare the validity of a URL area. TikTok on Android, as an illustration, declares the area Normally, the TikTok app will enable content material from to be loaded into its WebView element however forbid WebView from loading content material from different domains.


“The vulnerability allowed the app’s deeplink verification to be bypassed,” the researchers wrote. “Attackers could force the app to load an arbitrary URL to the app’s WebView, allowing the URL to then access the WebView’s attached JavaScript bridges and grant functionality to attackers.”

The researchers went on to create a proof-of-concept exploit that did simply that. It concerned sending a focused TikTok person a malicious hyperlink that, when clicked, obtained the authentication tokens that TikTok servers require for customers to show possession of their account. The PoC hyperlink additionally modified the focused person’s profile bio to show the textual content “!! SECURITY BREACH !!”

“Once the attacker’s specially crafted malicious link is clicked by the targeted TikTok user, the attacker’s server, https://www.attacker[.]com/poc, is granted full access to the JavaScript bridge and can invoke any exposed functionality,” the researchers wrote. “The attacker’s server returns an HTML page containing JavaScript code to send video upload tokens back to the attacker as well as change the user’s profile biography.”

Microsoft mentioned it has no proof the vulnerability was actively exploited within the wild.


Please enter your comment!
Please enter your name here

Popular Posts

Iran to begin ‘crypto rial’ CBDC trial despite possible lack of infrastructure: Report

The Central Bank of Iran will make a pilot launch of a central financial institution digital foreign money (CBDC) on Sept. 22, the Iranian...

GM to close reservations for electric Hummer EVs after topping 90,000

Production is now set to start on the former Detroit-Hamtramck meeting plant, lower than two years after GM introduced the large $2.2 billion funding...

What are the most common crimes in accommodations? Not theft, say UK police

"Violence against another person" is by far the most common prison offense reported in U.Okay. accommodations, new information exhibits. Statistics from eight police forces throughout...

Ukrainian President Zelenskyy addresses U.N. General Assembly

President of Ukraine Volodymyr Zelenskyy visits the Kharkiv area for the primary time since Russia began the assaults towards his nation on February 24,...

Google co-founder’s flying car startup is winding down

Larry PageJustin Sullivan | Getty ImagesGoogle co-founder Larry Page's flying car startup Kittyhawk is winding down, the corporate introduced Wednesday."We're still working on the...