A flaw in TikTok Android app could have allowed the hijacking of users’ accounts

Pierluigi Paganini August 31, 2022

Microsoft discovered a vulnerability in the TikTok app for Android that could lead to one-click account hijacking.

Microsoft researchers discovered a high-severity flaw (CVE-2022-28799) in the TikTok Android app, which could have allowed attackers to hijack users’ accounts with a single click. The experts state that the vulnerability would have required the chaining with other flaws to hijack an account. Microsoft reported the issue to TikTok in February, and the company quickly addressed it. Microsoft confirmed that it is not aware of attacks in the wild exploiting the bug.

The experts determined that the flaw impacted the Android app, which has over 1.5 billion installations via the Google Play Store. 

“Attackers could have leveraged the vulnerability to hijack an account without users’ awareness if a targeted user simply clicked a specially crafted link.” reads the post published by Microsoft. “Attackers could have then accessed and modified users’ TikTok profiles and sensitive information, such as by publicizing private videos, sending messages, and uploading videos on behalf of users.”

The vulnerability allowed the attackers to bypass the app’s deeplink verification. An attacker could force the app to load an arbitrary URL to the app’s WebView, allowing the URL to access the WebView’s attached JavaScript bridges and grant functionality to attackers.

In order to trigger the issue, the researchers relied on the app’s implementation of JavaScript interfaces, which are provided by a component of the Android operating system called WebView.

Applications can load and display web pages through WebView, it also provides bridge functionality that allows JavaScript code in the web page to invoke specific Java methods of a particular class in the app.

“Loading untrusted web content to WebView with application-level objects accessible via JavaScript code renders the application vulnerable to JavaScript interface injection, which may lead to data leakage, data corruption, or, in some cases, arbitrary code execution.” continues the report.

While analyzing the functionality accessible to the JavaScript code in web pages loaded to WebView, the researchers identified more than 70 exposed methods.

Microsoft pointed out that using the exploit to hijack WebView it is possible to invoke these methods to grant functionality to attackers. Some of the exposed methods can allow attackers to access or modify users’ private information, while others can perform authenticated HTTP requests to any URL given as a parameter. The method also accepts a set of parameters in the form of a JSON string that can be used to form the body of a POST request and returns the server’s reply, including the headers.               

By invoking such methods, an attacker can:

  • Retrieve the user’s authentication tokens by triggering a request to a controlled server and logging the cookie and the request headers.
  • Retrieve or modify the user’s TikTok account data, such as private videos and profile settings, by triggering a request to a TikTok endpoint and retrieving the reply via the JavaScript callback.

“In short, by controlling any of the methods able to perform authenticated HTTP requests, a malicious actor could have compromised a TikTok user account.” concludes the report.

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, Android)

[adrotate banner=”5″]

[adrotate banner=”13″]

you might also like

leave a comment