Security
Headlines
HeadlinesLatestCVEs

Headline

TikTok vulnerability could have allowed hijackers to take over accounts

Categories: News Tags: Exploit

Tags: vulnerability

Tags: Tik-Tok

Tags: Microsoft

Tags: JavaScript

We take a look at a TikTok exploit discovered by Microsoft and passed on to the social media giant to have fixed.

(Read more…)

The post TikTok vulnerability could have allowed hijackers to take over accounts appeared first on Malwarebytes Labs.

Malwarebytes
#vulnerability#web#android#microsoft#java#chrome

Posted: September 1, 2022 by

Microsoft has released a detailed rundown of an issue, now fixed, which was potentially dangerous for users of TikTok. The problem, flagged as a “high-severity vulnerability” by Microsoft, required several steps chained together in order to function. Attackers making use of it could have compromised accounts with one click.

From there, the standard rules of engagement for compromised accounts apply. Sending messages, uploading content, checking out sensitive information or looking at private videos; all of this and more would have been possible. Worse, Microsoft determined that both versions of the TikTok app on Android were vulnerable to this issue. That’s around 1.5 billion installations in total, so it’s just as well TikTok received word of the vulnerability in February of this year and it’s now fixed.

Shall we take a look?

What is a deeplink?

To ward off any possible confusion, deeplinks are completely unrelated to deepfakes.

This issue is pinned around TikTok’s deeplink verification. These deeplinks can make URLs function in a variety of different ways. As Engadget explains, hitting a Twitter embed on Chrome mobile which opens the Twitter app is an example of this working in practice.

Where this goes wrong is when someone finds a way to bypass this deeplink verification, and make URLs behave in unexpected ways. As it happens, our old friend JavaScript is the first step in the chain to exploit success.

The perils of JavaScript interface injection

Exploitation was dependent on how the app implemented JavaScript interfaces, provided by something called WebView in the Android operating system which is used to load and display web pages. Untrusted content loaded up in WebView left the app vulnerable to something called JavaScript interface injection. This could lead to corrupted data, leakage, and even arbitrary code execution.

Microsoft found that several of these issues chained together with regard to handling a specific deeplink could force loading of arbitrary ULRs to the app’s WebView.

The fixed exploit now lives on only as CVE-2022-28799:

The TikTok application before 23.7.3 for Android allows account takeover. A crafted URL (unvalidated deeplink) can force the com.zhiliaoapp.musically WebView to load an arbitrary website. This may allow an attacker to leverage an attached JavaScript interface for the takeover with one click.

Fixes and suggestions

Microsoft has the following advice for app developers required to dabble with JavaScript interfaces:

  • Use the default browser to open URLs that don’t belong to the application’s approved list.

  • Keep the approved list up to date and track the expiration dates of the included domains. This can prevent attackers from hijacking WebView by claiming an expired domain on the approved list.

  • Avoid using partial string comparison methods to compare and verify a URL with the approved list of trusted domains.

  • Avoid adding stage or internal network domains to the approved list as these domains could be spoofed by an attacker to hijack WebView.

It’s important to note that Microsoft has seen no evidence of this being exploited in the wild. There is no need for users to be panicking about this particular exploit. There are many threats out there for users of TikTok like phishing and social engineering. This one, however, can be set aside as a highly technical “close, but no cigar”.

RELATED ARTICLES

Related news

TikTok Users Were Vulnerable to a Single-Click Attack

Microsoft disclosed the flaw in the Android app’s deep link verification process, which has since been fixed.

Microsoft Discover Severe ‘One-Click’ Exploit for TikTok Android App

Microsoft on Wednesday disclosed details of a now-patched "high severity vulnerability" in the TikTok app for Android that could let attackers take over accounts when victims clicked on a malicious link. "Attackers could have leveraged the vulnerability to hijack an account without users' awareness if a targeted user simply clicked a specially crafted link," Dimitrios Valsamaras of the Microsoft

TikTok for Android Bug Allows Single-Click Account Hijack

A security vulnerability (CVE-2022-28799) in one of TikTok for Android's deeplinks could affect billions of users, Microsoft warns.

CVE-2022-28799: Report security vulnerabilities | TikTok Help Center

The TikTok application before 23.8.4 for Android allows account takeover. A crafted URL (unvalidated deeplink) can force the com.zhiliaoapp.musically WebView to load an arbitrary website. This may allow an attacker to leverage an attached JavaScript interface for the takeover with one click.

Malwarebytes: Latest News

2024 in AI: It’s changed the world, but it’s not all good