Researchers have discovered a critical vulnerability in the TikTok Android app which could allow hackers to hijack user accounts remotely.
The vulnerability, CVE-2022-28799, was reported to the ByteDance owned company by Microsoft in February 2022. Tiktok quickly fixed the issue. It is estimated that the app has around 1.5billion downloads on the Play Store, however, Microsoft added, the bug has not yet been exploited in the wild.
Microsoft further explained: “The vulnerability allowed the app’s deeplink verification to be bypassed. Attackers could force the app to load an arbitrary URL to the app’s WebView, allowing the URL to then access the WebView’s attached JavaScript bridges and grant functionality to attackers.”
Microsoft also identified more than 70 exposed JavaScript methods which could be used to grant functionality to the attackers, if paired with an exploit to hijack WebView such as the TikTok bug.
If an attacker did that, they could retrieve the user’s authentication tokens by triggering a request to a controlled server and logging the cookie and the request headers. They would also be able to retreieve or modify the user’s TikTok account data by triggering a request to the app’s endpoint and retrieving the reply via the JavaScript callback.
In their proof of concept, Microsoft wrote: “Once the attacker’s specially crafted malicious link is clicked by the targeted TikTok user, the attacker’s server is granted full access to the JavaScript bridge and can invoke any exposed functionality.”
“The attacker’s server returns an HTML page containing JavaScript code to send video upload tokens back to the attacker as well as change the user’s profile biography.”
Attackers could, with full control over users’ ac ..
Support the originator by clicking the read the rest link below.
