Microsoft on Wednesday disclosed details of a now-patched “high-risk vulnerability” in the TikTok app for Android that could allow attackers to take control of accounts when victims click on a malicious link.
“Attacks could exploit the vulnerability to hijack an account without users’ knowledge if the target user simply clicked on a specially created link,” said Demetrius Valsamaras of the Microsoft 365 Defender Research Team. He said in writing.
Successful exploitation of the bug could have allowed malicious parties to access and modify TikTok profiles and sensitive user information, leading to unauthorized exposure of private videos. The attackers may also have misused the bug to send messages and upload videos on behalf of users.
– Advertising –
The issue, fixed in version 23.7.3, affects two variants of the Android app com.ss.android.ugc.trill (for East and Southeast Asian users) and com.zhiliaoapp.musically (for users in other countries, except India, where prohibited). Combined, the apps have more than 1.5 billion installs between them.
Track K CVE-2022-28799 (CVSS score: 8.8), The vulnerability is related to the application’s handling of a so-called deep link, which is a special hyperlink that allows applications to open a particular resource within another application installed on the device rather than directing users to a website.
Simply put, the flaw allows bypassing app restrictions to deny untrusted hosts and load any website chosen by the attacker through the Android platform. web viewA mechanism for displaying web content to other applications.
Valsamaras explained that “filtering is done on the server side and the decision to load or reject a URL depends on the response received from a particular HTTP GET request,” adding that static analysis “indicates that it is possible to bypass server-side validation by adding two additional parameters to the given position link “.
One consequence of this exploit designed to hijack WebView to load rogue websites is that it could allow an adversary to invoke more than 70 exposed TikTok endpoints, harming the integrity of a user’s profile. There is no evidence that the insect was armed in the wild.
“Evil thinker. Music scholar. Hipster-friendly communicator. Bacon geek. Amateur internet enthusiast. Introvert.”