Microsoft has detailed a high-severity flaw in the TikTok Android app that could have allowed an attacker to hijack an account when users click on a link.
Fortunately, developers at TikTok parent ByteDance quickly fixed the flaw after Microsoft researchers reported the issue to it in February through its bug bounty program, according to Dimitrios Valsamaras, a researcher with the Microsoft 365 Defender Research Team.
The bug has now been assigned the identifier CVE-2022-28799, and while it is fixed, Microsoft is urging all TikTok users on Android to update the app to the latest version.
As Valsamaras notes in a blogpost, there are two versions of the TikTok Android app. One (with the package name com.ss.android.ugc.trill) is for East and Southeast Asia and another (with the package name com.zhiliaoapp.musically) is for other regions. Both contained the vulnerability.
“We commend the efficient and professional resolution from the TikTok security team. TikTok users are encouraged to ensure they’re using the latest version of the app,” writes Valsamaras.
However, the actual vulnerability is in how the TikTok app handles a particular “deeplink” on Android, according to Valsamaras. Developers can use deeplinks to link to a chosen component within an app. When users click a deeplink, the Android package manager checks all installed apps to see which one can respond to the deeplink and then routs it to the company declared as its handler, Valsamaras notes.
“While reviewing the app’s handling of a specific deeplink, we discovered several issues that, when chained together, could have been used to force the application to load an arbitrary URL to the application’s WebView,” writes Valsamaras.
By invoking these methods, the attacker can nab the user’s authentication tokens by triggering a request to a controlled server and logging the cookie and the request headers. The attacker can also retrieve or modify the user’s TikTok account data, such as private videos and profile settings.
“In short, by controlling any of the methods able to perform authenticated HTTP requests, a malicious actor could have compromised a TikTok user account,” writes Valsamaras.
Microsoft recommends developers instead use an “approved list of trusted domains to be loaded to the application’s WebView to prevent loading malicious or untrusted web content.”