TikTok for Android Bug Allows Single-Click Account Hijack

A high-severity flaw in the Android version of the TikTok app — which has been installed more than 1.5 billion times so far via the Google Play Store — could allow threat actors to hijack a user’s account with a single click.

Microsoft discovered the high-severity vulnerability in the handling of one of TikTok for Android’s deeplinks, a particular type of hyperlink in Android that links to a specific component within an app. To exploit it, cybercriminals could craft a malicious link that, if clicked, would allow full account access.

Tracked as CVE-2022-28799, the flaw could allow attackers to modify users’ TikTok profiles and access sensitive information, “such as by publicizing private videos, sending messages, and uploading videos on behalf of users,” according to a Microsoft Security blog post published Wednesday.

In all, an exploit exposes 70 methods for an attacker to modify users’ TikTok profiles and access sensitive information without users’ awareness, he said.

Under the Hood: Exploiting JavaScript

While CVE-2022-28799 itself is found in a deeplink in the Android version of TikTok, exploiting the flaw depends on the app’s implementation of JavaScript interfaces, which are provided by the app’s WebView component, Microsoft said.

WebView allows applications to load and display web pages and, using the “addJavascriptInterface” API call, also can provide bridge functionality that allows JavaScript code in the web page to invoke specific Java methods of a particular class in the app.

The issue with WebView is that if someone such as a threat actor loads untrusted web content to WebView with application-level objects accessible via JavaScript code, the app is vulnerable to JavaScript interface injection. This may lead to data leakage, data corruption, or, in some cases, arbitrary code execution, Microsoft said.

“TikTok for Android uses JavaScript interfaces extensively, enhancing the WebView capabilities that are used within the app,” according to the post.

Microsoft researchers discovered what they call “a class of interest” that makes use of WebView in TikTok’s Android version that “registers a JavaScript bridge that has access to every type of functionality implemented by the classes of a bridge,” which can be exploited due to the deeplink vulnerability, they said.

“Attackers can use the vulnerability to redirect URLs to various components of the application via a query parameter to trigger the deeplink and call nonexported activities, expanding the attack surface of the application,” according to the post.

Proof-of-Concept TikTok Attack

In a proof-of-concept (PoC) exploit, Microsoft researchers were able to force the application to load an arbitrary URL (https://www.tiktok[.]com, in this case) to the application’s WebView, they said.

“By crafting this URL with additional query parameters, it was possible to inject an instance of the JavaScript bridge that provides full access to the functionality implemented by the affected bridge package,” according to the post.

It added, “In short, by controlling any of the methods able to perform authenticated HTTP requests, a malicious actor could have compromised a TikTok user account.”

Patch the TikTok App Now

Microsoft notified TikTok about the flaw, according to its responsible disclosure practices. TikTok responded by rapidly issuing a fix to both versions of the Android app it offers — one for East Asia and Southeast Asia and the other for all remaining countries — which both were affected. Users should update their apps to the latest version to protect themselves.

The quick response is notable, given the myriad privacy and security issues that have plagued TikTok in the past. However, it has been cleaning up its act in recent years, starting with its introduction of a bug-bounty program through HackerOne in 2020.

In February, the company’s global chief security officer Roland Cloutier told Dark Reading that TikTok has committed to building a culture of security and transparency going forward, given its access to sensitive data and content for billions of organizations and individuals.