Microsoft researchers discovered a high-severity flaw (CVE-2022-28799) in the TikTok Android app, which could have allowed attackers to hijack users’ accounts with a single click. The experts state that the vulnerability would have required the chaining with other flaws to hijack an account. Microsoft reported the issue to TikTok in February, and the company quickly addressed it. Microsoft confirmed that it is not aware of attacks in the wild exploiting the bug.
The experts determined that the flaw impacted the Android app, which has over 1.5 billion installations via the Google Play Store.
“Attackers could have leveraged the vulnerability to hijack an account without users’ awareness if a targeted user simply clicked a specially crafted link.” reads the post published by Microsoft. “Attackers could have then accessed and modified users’ TikTok profiles and sensitive information, such as by publicizing private videos, sending messages, and uploading videos on behalf of users.”
Microsoft pointed out that using the exploit to hijack WebView it is possible to invoke these methods to grant functionality to attackers. Some of the exposed methods can allow attackers to access or modify users’ private information, while others can perform authenticated HTTP requests to any URL given as a parameter. The method also accepts a set of parameters in the form of a JSON string that can be used to form the body of a POST request and returns the server’s reply, including the headers.
By invoking such methods, an attacker can:
“In short, by controlling any of the methods able to perform authenticated HTTP requests, a malicious actor could have compromised a TikTok user account.” concludes the report.
(SecurityAffairs – hacking, Android)