Microsoft researchers discovered a serious vulnerability in TikTok that threatened user accounts’ security. Specifically, they found an account hijacking vulnerability in the TikTok Android app. Even though TikTok has grown immensely in the last years and businesses want to grow views on the platform to promote their brand, it is not the first time when TikTok is accused of privacy and security violations.
TikTok App Account Hijacking Vulnerability
As elaborated in a recent blog post, Microsoft’s research team analyzed the TikTok Android app and found an account hijacking vulnerability. The researchers explained that they examined the TikTok app “flavors” – com.ss.android.ugc.trill (for East and Southeast Asia) and com.zhiliaoapp.musically (for other regions) – and noticed the vulnerability affecting both versions.
Specifically, exploiting the flaw involves Android WebView exploitation via malicious JavaScript to execute various commands. An attacker could easily trigger the vulnerability by sending a malicious link to the target TikTok user. Then, if the recipient victim opens the link via TikTok, Android’s WebView would load the site. Consequently, the site could load the malicious JavaScript codes from its servers that would invoke the Java method.
The subsequent exposure of Java methods to the attacker permitted hijacking of the target TikTok account via WebView.
In a real-world scenario, an attacker exploiting this vulnerability could retrieve the target user’s authentication tokens, access account information, modify account details, and even access private videos.
The researchers have shared the technical details and the proof of concept for this attack in their post.
TikTok Patched The Flaw
Following this discovery, the researchers contacted the TikTok team to report the matter. This security issue has received the identification number CVE-2022-28799 and a severity score of 8.3. According to the bug description in a HackerOne report,
A WebView Hijacking vulnerability was found on the TikTok Android application via an un-validated deeplink on an un-sanitized parameter. This could have resulted in account hijacking through a JavaScript interface.
TikTok have since patched the vulnerability and released the fix with TikTok for Android version 23.7.3. TikTok released numerous subsequent updates to the app.