TikTok bug discovered by Microsoft allows one-click account hijack

TikTok bug discovered by Microsoft allows one-click account hijack

Image:
TikTok bug discovered by Microsoft allows one-click account hijack

The security issue has been fixed by TikTok so users should ensure they are on the latest version

Microsoft has revealed details of a now-patched security flaw in TikTok's Android app that could have been used by hackers to take over a user's account if they clicked on a malicious link.

In a blog post published on Wednesday, researchers from Microsoft's 365 Defender Research Team described the one-click vulnerability in detail.

The bug, which is tracked as CVE-2022-28799, was reported to TikTok in February, and has now been fixed.

Microsoft researchers found the high-severity flaw in how TikTok app handled its deeplink capabilities. The deeplink functionality instructs the operating system to enable specific apps to process links in a certain manner, such as launching the Twitter app to follow a user when the person clicks an HTML "Follow this account" button embedded in a website.

"The vulnerability allowed the app's deeplink verification to be bypassed," Microsoft researchers said.

While the bug existed in the deeplink in the TikTok Android app, Microsoft said that exploiting it depends on the app's implementation of JavaScript interfaces, which are offered by the app's WebView component.

"Attackers could force the app to load an arbitrary URL to the app's WebView, allowing the URL to then access the WebView's attached JavaScript bridges and grant functionality to attackers."

The researchers produced a proof-of-concept (PoC) exploit that accomplished just that by delivering a malicious link to a specific TikTok user. When clicked, the link obtained the authentication tokens needed by TikTok servers for users to verify their account ownership.

Additionally, the PoC link modified the targeted user's bio to read "!! SECURITY BREACH!!"

According to the researchers, if the malicious link is opened, the attacker will have access to all core account features, including the ability to edit users' TikTok profiles, publish and share videos, send messages to other users, and see personal videos saved in the account.

The potential impact of the vulnerability was huge, as it affected all global variants of the Android TikTok app, which has been downloaded more than 1.5 billion times from the Google Play Store. Microsoft said that it had no evidence that the flaw has been actively exploited in the wild.

Microsoft informed TikTok of the issue in February, in accordance with its responsible disclosure policies.

In response, TikTok quickly released fixes for both of its Android apps — one for East Asia and Southeast Asia and the other for all other countries — which were both impacted.

On March 22, TikTok released version 23.7.3 for Android, so users who have automatic updates turned on should already be using a newer version of the app.

According to Microsoft, it is vital for vendors and tech platforms to work together to protect users from malicious actors.

"As threats across platforms continue to grow in numbers and sophistication, vulnerability disclosures, coordinated response, and other forms of threat intelligence sharing are needed to help secure users' computing experience, regardless of the platform or device in use," wrote Microsoft's Dimitrios Valsamaras in the blog post.

The details of the new TikTok vulnerability come days after a security researcher uncovered JavaScript code in TikTok that could theoretically capture all user inputs while they were in the application's in-app browser.

TikTok refuted the allegations, stating that the script was only used for backend debugging and troubleshooting, and not to key-log any of its users.