Microsoft 365 Defender researchers in a blog post on Wednesday revealed that they had discovered a โhigh-severityโ vulnerability in the TikTok Android application, which allowed attackers to hijack a user’s account with a single click.
The issue was reported to TikTok in February 2022 through itsย vulnerability reporting page for which a fix was included in an update released within a monthโs time after the initial disclosure.
The high-severity vulnerability, tracked asย CVE-2022-28799 with a score of 8.3, and particularly affected TikTok on Android version 23.7.3 and lower, required several issues to be chained together to exploit, and was not used in the wild, according to Microsoft.
โAttackers could have leveraged the vulnerability to hijack an account without usersโ awareness if a targeted user simply clicked a specially crafted link,โ Microsoft 365 Defender Research Team’s Dimitrios Valsamaras said.
โAttackers could have then accessed and modified usersโ TikTok profiles and sensitive information, such as by publicizing private videos, sending messages, and uploading videos on behalf of users.โ
The vulnerability allowed the appโs deeplink verification to be bypassed. Attackers could force the app to load an arbitrary URL to the appโs WebView, allowing the URL to then access the WebViewโs attached JavaScript bridges and grant functionality to attackers.
In order to exploit the flaw, the researchers depended on the appโs implementation of JavaScript interfaces, which are provided by a component of the Android operating system called WebView.
WebView allows applications to load and display web pages. It also uses the addJavascriptInterfaceย API call to provide bridge functionality that allows JavaScript code in the web page to invoke specific Java methods of a particular class in the app.
โLoading untrusted web content to WebView with application-level objects accessible via JavaScript code renders the application vulnerable to JavaScript interface injection, which may lead to data leakage, data corruption, or, in some cases, arbitrary code execution,โ Valsamaras added.
While reviewing the functionality accessible to the JavaScript code in web pages loaded to WebView, the researchers found that clicking the link exposed more than 70 JavaScript methods.
This vulnerability when paired with an exploit to hijack WebView could grant functionality to attackers that would allow them to access or modify TikTok users’ private information or perform authenticated HTTP requests to any URL given as a parameter.
By invoking such methods, an attacker can:
- Retrieve the userโs authentication tokens by triggering a request to a controlled server and logging the cookie and the request headers.
- Retrieve or modify the userโs TikTok account data, such as private videos and profile settings, by triggering a request to a TikTok endpoint and retrieving the reply via the JavaScript callback.
โIn short, by controlling any of the methods able to perform authenticated HTTP requests, a malicious actor could have compromised a TikTok user account,โ said Valsamaras.
TikTok has two versions of its Android app: one for East and Southeast Asia under the package nameย com.ss.android.ugc.trill, and another for the remaining countries under the package nameย com.zhiliaoapp.musically. When Microsoft performed a vulnerability assessment, they found both versions of the app for Android were impacted, which have overย 1.5 billion installations combinedย via the Google Play Store.
Microsoft recommends users update their apps to the latest version to protect themselves, avoid loading malicious or untrusted web content, immediately report any abnormal app behavior, and download and install apps only from official sources.