In the TikTok Android app, Microsoft has described a high-severity weakness that might have enabled a hacker to take over an account by luring users into clicking on a link.
The bug's current identification is CVE-2022-28799. According to Microsoft, the flaw has not yet been exploited by the public, despite the app having an estimated 1.5 billion downloads on the Play Store. Microsoft advises all TikTok users on Android to upgrade the app to the most recent version while it is being patched.
In fact, Microsoft detected over 70 vulnerable JavaScript methods that, when combined with a bug to take control of WebView, might be exploited to provide the attacker's capability.
Threat actors could execute authenticated HTTP queries or access or modify the private information of TikTok users using the ways that were publicly disclosed.
In essence, attackers who would have been successful in exploiting this vulnerability might have easily:
- Retrieved the users' authentication tokens by triggering a request to a server under their control and logging the cookie and the request headers.
- Retrieved or modified the users' TikTok account data, including private videos and profile settings by triggering a request to a TikTok endpoint and retrieving the reply via the JavaScript callback.
"The TikTok Android app was revealed to have a WebView Hijacking vulnerability due to an unvalidated deep link on an invalid argument. Through a JavaScript interface, this may have led to account hijacking, " The HackerOne explained in an article.
Only about a month after Microsoft first revealed the security flaw, TikTok version 23.7.3 was launched with a patch to address the CVE-2022-28799 tracking number.
Microsoft further said that "Once the targeted TikTok user clicks the hacker's specially constructed malicious link, the attacker's server is granted total access to the JavaScript bridge and can activate any accessible functionality."
The server of the attacker sends back an HTML page with JavaScript code that modifies the user's profile biography and sends video upload tokens back to the attacker.
Attackers with complete access to users' accounts could modify their profile information, send messages, upload movies, and even post private videos.
Tiktok has also fixed further security vulnerabilities that might have let hackers steal customers' personal details or take over their accounts to tamper with footage.