Multiple Bugs In TikTok Android App Could Allow 1-Click RCE Attacks

Numerous security vulnerabilities existed in the TikTok application for Android. Exploiting these bugs in TikTok Android app could allow executing 1-click remote code execution (RCE) attacks.

TikTok Android App 1-Click RCE Bugs

Security researcher Sayed Abdelhafiz has shared details of his findings regarding TikTok flaws.

Explaining it all in a post, the researcher stated that he found multiple bugs in the TikTok Android app that could lead to 1-click RCE attacks.

Briefly, he found the following vulnerabilities in the app.

  • Universal XSS on TikTok WebView
  • Another XSS on AddWikiActivity
  • Start Arbitrary Components
  • Zip Slip in TmaTestActivity
  • RCE!

After finding these bugs, the researcher then attempted to look for RCE. So, he created a zip file and path traversed the file /data/data/com.zhiliaoapp.musically/app_lib/df_rn_kit/df_rn_kit_a3e37c20900a22bc8836a51678e458f7/arm64-v8a/libjsc.so

It, hence, became possible to overwrite native libraries with malicious ones. But executing the malicious library would initially require relaunching the app.

However, he removed this limitation by launching com.tt.miniapphost.placeholder.MiniappTabActivity0 Activity.

Details about the specific vulnerabilities and the exploit PoC are available in the researcher’s post.

Patch Deployed

Upon discovering the bugs, the researcher reached out to TikTok to report the matter via their HackerOne bug bounty program.

Consequently, TikTok fixed the bugs individually in the following manner.

  • Deleted vulnerable XSS
  • Deleted TmaTestActivity
  • “Implement restrictions to intent scheme that doesn’t allow an intent for TikTok Application on AddWikiActivity and Main WebViewActivity”.

As the bug report shows, the researcher reported this issue to TikTok in December 2020. Whereas, TikTok deployed the fixes in January 2021.

The vulnerability has received a critical severity rating with a score of 9.8. Whereas, for reporting the bugs, the researcher earned $11,214 as bounty.

The present report marks the second disclosure this year that shed light on TikTok vulnerabilities.

Earlier this year, TikTok addressed multiple vulnerabilities that could expose users’ data. These bugs existed due to the way the TikTok app allowed contact sync. Following the report from Checkpoint, TikTok deployed the fixes for the bugs.

Whereas, TikTok has also launched its dedicated bug bounty program on HackerOne in October 2020.

Related posts

Water Facilities Must Secure Exposed HMIs – Warns CISA

Microsoft December Patch Tuesday Arrived With 70+ Bug Fixes

NachoVPN Attack Risks Corporate VPN Clients