Microsoft found TikTok Android flaw that let hackers hijack accounts

TikTok

Microsoft found and reported a high severity flaw in the TikTok Android app in February that allowed attackers to “quickly and quietly” take over accounts with one click by tricking targets into clicking a specially crafted malicious link.

“Attackers could have leveraged the vulnerability to hijack an account without users’ awareness if a targeted user simply clicked a specially crafted link,” Microsoft 365 Defender Research Team’s Dimitrios Valsamaras said.

“Attackers could have then accessed and modified users’ TikTok profiles and sensitive information, such as by publicizing private videos, sending messages, and uploading videos on behalf of users.”

Clicking the link exposed more than 70 JavaScript methods that could be abused by an attacker with the help of an exploit designed to hijack the TikTok app’s WebView (an Android system component used by the vulnerable app to display web content).

Using the exposed methods, threat actors could access or modify TikTok users’ private information or perform authenticated HTTP requests.

In short, attackers who would’ve managed to exploit this vulnerability successfully could’ve easily:

  • retrieved the users’ authentication tokens (by triggering a request to a server under their control and logging the cookie and the request headers)
  • retrieved or modified the users’ TikTok account data, including private videos and profile settings (by triggering a request to a TikTok endpoint and retrieving the reply via the JavaScript callback)

“A WebView Hijacking vulnerability was found on the TikTok Android application via an un-validated deeplink on an un-sanitized parameter. This could have resulted in account hijacking through a JavaScript interface,” the HackerOne report further explains.

Now patched, not exploited in attacks

The security vulnerability, tracked as CVE-2022-28799, is now patched since the release of TikTok version 23.7.3, published less than a month after Microsoft’s initial disclosure.

Microsoft says it has not yet found evidence of CVE-2022-28799 being exploited in the wild. 

TikTok users can defend against similar issues by not clicking links from untrusted sources, keeping their apps up to date, only installing apps from official sources, and reporting any strange app behavior as soon as possible.

Additional information on how this vulnerability could have been used in attacks for account takeover can be found in Microsoft’s report.

In November 2020, TikTok fixed vulnerabilities that enabled threat actors to quickly hijack the accounts of users who signed up via third-party apps.

The company has also addressed other security flaws that could have allowed attackers to steal users’ personal information or hijack their accounts to manipulate videos.

According to its Google Play Store entry, TikTok’s Android app has over 1 billion installs. Based on Sensor Tower Store Intelligence estimates, the mobile app has already crossed the 2 billion installs mark on all platforms since April 2020.