Flaw in TikTok Android app could have allowed users’ accounts to be hackedSecurity Affairs

Microsoft has discovered a vulnerability in the TikTok app for Android that could lead to a one-click account takeover.

Microsoft researchers have discovered a very serious flaw (CVE-2022-28799) in the TikTok Android app, which could have allowed attackers to hijack user accounts with a single click. Experts say the vulnerability would have required linking with other flaws to hijack an account. Microsoft reported the issue to TikTok in February, and the company quickly fixed it. Microsoft has confirmed that it is not aware of any in-the-wild attacks exploiting the bug.

Experts have determined that the flaw impacts the Android app, which has over 1.5 billion installs through the Google Play Store.

“Attackers could have exploited the vulnerability to hijack an account without users’ knowledge if a targeted user simply clicked on a specially crafted link.” read it Publish published by Microsoft. “Attackers could then have accessed and modified TikTok profiles and users’ sensitive information, such as by posting private videos, sending messages, and uploading videos on behalf of users.”

The vulnerability allowed attackers to bypass the application‘s deep link check. An attacker could force the application to load an arbitrary URL into the application’s WebView, allowing the URL to access JavaScript bridges attached to the WebView and granting attackers functionality.

In order to trigger the problem, the researchers relied on the implementation of the application’s JavaScript interfaces, which are provided by a component of the Android operating system called WebView.

Applications can load and display web pages through WebView, it also provides bridge functionality which allows JavaScript code in the web page to invoke specific Java methods of a particular class in the application.

“Loading untrusted web content to WebView with application-level objects accessed through JavaScript makes the application vulnerable to JavaScript interface injection, which can lead to data leakage, corruption of data or, in some cases, execution of arbitrary code.” continues the report.

By analyzing the functionality accessible to JavaScript code in web pages loaded on WebView, the researchers identified more than 70 exposed methods.

Microsoft pointed out that by using the exploit to hijack WebView, it is possible to invoke these methods to grant attackers functionality. Some of the exposed methods can allow attackers to access or modify users’ private information, while others can make authenticated HTTP requests to any URL given as a parameter. The method also accepts a set of parameters in the form of a JSON string which can be used to form the body of a POST request and returns the server response including headers.

By calling such methods, an attacker can:

  • Retrieve user authentication tokens by initiating a request to a controlled server and saving the cookie and request headers.
  • Retrieve or modify user’s TikTok account data, such as private videos and profile settings, by triggering a request to a TikTok endpoint and retrieving the response through the JavaScript callback.

“In short, by controlling one of the methods capable of making authenticated HTTP requests, a malicious actor may have compromised a TikTok user account.” concludes the report.

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(Security cases hacking, android)

Share on

Comments are closed.