Microsoft disclosed Wednesday details about a “high severity vulnerability” in TikTok for Android. This vulnerability could allow attackers to take control of accounts if victims click on a malicious URL.
“Attackers may have leveraged the vulnerability in order to hijack an account, without users’ awareness if a targeted person simply clicked a specially crafted hyperlink,” Dimitrios Valsamaras from the Microsoft 365 Defender Research Team stated in a write up.
The flaw could have been exploited to allow malicious actors to modify TikTok profiles of users and other sensitive information. This could have allowed them to expose private videos without their consent.The bug could have been used by attackers to send and upload videos for users.
The issue, addressed in version 23.7.3, impacts two flavors of its Android app com.ss.android.ugc.trill (for East and Southeast Asian users) and com.zhiliaoapp.musically (for users in other countries except for India, where it’s banned).The apps are combined more than 1.5 million in number.
The vulnerability was identified as CVE-202-28799 (CVSS Score: 8.8). It is related to the way the app handles a deeplink. This special hyperlink allows apps to open a specific resource in another app on the device, rather than redirecting users to a website.
“A crafted URL (unvalidated deeplink) can force the com.zhiliaoapp.musically WebView to load an arbitrary website,” according to an advisory for the flaw.This could allow an attacker leverage an attached JavaScript interface to takeover the site in a single click.
Simply put, the flaw allows you to bypass the apps’ restrictions to reject untrusted host and load any website that the attacker chooses through the Android System . This is a way to display web content on other applications.
“The filtering happens on the server side and the decision to load a URL or reject it is based upon the response received from a specific HTTP GET request,” Valsamaras explained. The static analysis also indicated that “it is possible to bypass this server-side check by adding 2 additional parameters to deeplink.”
This exploit, which was designed to hijack WebView and load rogue sites, could allow the adversary over 70 TikTok endpoints. This would compromise a user’s profile integrity.The bug is not known to have been used in the wild.
Microsoft stated that JavaScript interfaces pose significant programming risks.A compromised JavaScript interface could allow attackers to execute code with the application’s ID or privileges.