Microsoft said on Wednesday it recently discovered a vulnerability in TikTok’s Android app that could allow attackers to hijack accounts when users did nothing but click a single erroneous link. The software maker said it notified TikTok of the vulnerability in February and that the China-based social media company has since fixed the flaw, which is tracked as CVE-2022-28799.
The vulnerability was in how the app verified so-called deep links, which are Android-specific hyperlinks for accessing individual components within a mobile app. Deep links must be declared in an app’s manifest for use outside the app, so for example, someone who clicks a TikTok link in a browser will have the content automatically open in the TikTok app.
An app can also cryptographically indicate the validity of a URL domain. TikTok on Android, for example, declares the domain m.tiktok.com. Normally, the TikTok app allows content from tiktok.com to be loaded into the WebView component, but WebView prohibits loading content from other domains.
“The vulnerability allowed the app’s deep link authentication to be bypassed,” the researchers wrote. “Attackers can force the app to load any URL to the app’s WebView, which would then allow the URL to access WebView’s attached JavaScript bridges and grant attackers functionality.”
The researchers went on to create a proof-of-concept exploit that did just that. It involved sending a targeted TikTok user a malicious link that, when clicked, obtained the authentication tokens TikTok servers need to allow users to prove ownership of their account. The PoC link also changed the target user’s profile bio to read “!! SECURITY BREACH!!” display.
Once the attacker’s specially crafted malicious link is clicked by the targeted TikTok user, the attacker’s server, https://www.attacker[.]com/poc, gains full access to the JavaScript bridge and can call any exposed functionality,” the researchers wrote. “The attacker’s server returns an HTML page containing JavaScript code to send video upload tokens back to the attacker and to change user information. profile biography.”
Microsoft said it has no evidence that the vulnerability has been actively exploited in the wild.