2 years ago
42
Getty Images
Microsoft said connected Wednesday that it precocious identified a vulnerability successful TikTok's Android app that could let attackers to hijack accounts erstwhile users did thing much than click connected a azygous errant link. The bundle shaper said it notified TikTok of the vulnerability successful February and that the China-based societal media institution has since fixed the flaw, which is tracked arsenic CVE-2022-28799.
The vulnerability resided successful however the app verified what's known arsenic deeplinks, which are Android-specific hyperlinks for accessing idiosyncratic components wrong a mobile app. Deeplinks indispensable beryllium declared successful an app's manifest for usage extracurricular of the app so, for example, idiosyncratic who clicks connected a TikTok nexus successful a browser has the contented automatically opened successful the TikTok app.
An app tin besides cryptographically state the validity of a URL domain. TikTok connected Android, for instance, declares the domain m.tiktok.com. Normally, the TikTok app volition let contented from tiktok.com to beryllium loaded into its WebView constituent but forbid WebView from loading contented from different domains.
"The vulnerability allowed the app's deeplink verification to beryllium bypassed," the researchers wrote. "Attackers could unit the app to load an arbitrary URL to the app's WebView, allowing the URL to past entree the WebView's attached JavaScript bridges and assistance functionality to attackers."
The researchers went connected to make a proof-of-concept exploit that did conscionable that. It progressive sending a targeted TikTok idiosyncratic a malicious nexus that, erstwhile clicked, obtained the authentication tokens that TikTok servers necessitate for users to beryllium ownership of their account. The PoC nexus besides changed the targeted user's illustration bio to show the substance "!! SECURITY BREACH !!"
"Once the attacker's specially crafted malicious nexus is clicked by the targeted TikTok user, the attacker's server, https://www.attacker[.]com/poc, is granted afloat entree to the JavaScript span and tin invoke immoderate exposed functionality," the researchers wrote. "The attacker's server returns an HTML leafage containing JavaScript codification to nonstop video upload tokens backmost to the attacker arsenic good arsenic alteration the user's illustration biography."
Microsoft said it has nary grounds the vulnerability was actively exploited successful the wild.
