Microsoft discovered a high-severity vulnerability within the TikTok Android app that allowed attackers to send messages, access, and upload videos, without users’ knowing.
Android applications for TikTok are among the most popular apps on Google Store, with over 1.5 billion total downloads.
Researchers determined that the flaw affected both regional versions of the TikTok app. One version is meant for East and Southeast Asia, while another is for the rest of the world.
To exploit the vulnerability (CVE-2022-28799), attackers would have needed to chain together several issues. The critical element, however, is a tailor-made malicious link. Researchers claim that once the first step was completed, attackers could have accessed a trove of personal data.
“Attackers could have then accessed and modified users’ TikTok profiles and sensitive information, such as by publicizing private videos, sending messages, and uploading videos on behalf of users,” Microsoft researchers said in a blog post.
The flaw allowed bypassing TikTok’s deeplink verification. In turn, attackers could force the app to load any URL to WebView, an Android component used to display web content.
Once on the WebView, attackers could use various methods to abuse JavaScript code injection functionality to perform malicious actions such as retrieving users’ authentication tokens and modifying TikTok account data.
“In short, by controlling any of the methods able to perform authenticated HTTP requests, a malicious actor could have compromised a TikTok user account,” Microsoft researchers said.
The investigation led Microsoft’s team to discover over 70 exposed methods to load JavaScript code to WebView. Paired with an exploit that allows hijacking WebView, the exploit would allow attackers to mess with apps’ functionality.
Researchers informed TikTok about the flaw in February and claimed that the company cooperated to fix the bug. Microsoft said there’s no data to confirm the flaw was exploited in the wild.
Last September, researchers discovered a TikTok flaw that released access to user phone numbers. If exploited, the vulnerability would have enabled attackers to build a database of users and their related phone numbers, which could then be used for malicious activity.
Your email address will not be published. Required fields are markedmarked