Microsoft: This bug in TikTok’s Android app could have allowed one-click account hijacking

Man using his Mobile Phone in the street, bokeh

Image: Getty Images/iStockphoto

Microsoft has detailed a high-severity flaw in the TikTok Android app that could have allowed an attacker to hijack an account when users click on a link.

Fortunately, developers at TikTok parent ByteDance quickly fixed the flaw after Microsoft researchers reported the issue to it in February through its bug bounty program, according to Dimitrios Valsamaras, a researcher with the Microsoft 365 Defender Research Team.

The bug has now been assigned the identifier CVE-2022-28799and while it is fixed, Microsoft is urging all TikTok users on Android to update the app to the latest version.

SEE: These are the biggest cybersecurity threats. Make sure you aren’t ignoring them

It’s a nasty flaw in the app’s exposed JavaScript interface that could be exploited via a WebView component of the TikTok Android app, which has been downloaded 1.5 billion times from the Google Play store. WebView is a component of Android that lets Android apps, which are written in the Java programming language and Java-compatible Kotlin, display web content.

“The TikTok application before 23.7.3 for Android allows account takeover… This may allow an attacker to leverage an attached JavaScript interface for the takeover with one click,” reads the MITER entry for CVE-2022-28799.

Nor Valsamaras notes in a blogpostthere are two versions of the TikTok Android app. One (with the package name com.ss.android.ugc.trill) is for East and Southeast Asia and another (with the package name com.zhiliaoapp.musically) is for other regions. Both contained the vulnerability.

“We commend the efficient and professional resolution from the TikTok security team. TikTok users are encouraged to ensure they’re using the latest version of the app,” writes Valsamaras.

The vulnerability stems from the way TikTok developers implemented the app’s JavaScript interfaces in WebView. The interface can provide “bridge functionality”, so that JavaScript code in a web page invokes specific Java methods of a particular class in the app.

“Loading untrusted web content to WebView with application-level objects accessible via JavaScript code renders the application vulnerable to JavaScript interface injection, which may lead to data leakage, data corruption, or, in some cases, arbitrary code execution,” explains Valsamaras.

However, the actual vulnerability is in how the TikTok app handles a particular “deeplink” on Android, according to Valsamaras. Developers can use deeplinks to link to a chosen component within an app. When users click a deeplink, the Android package manager checks all installed apps to see which one can respond to the deeplink and then routes it to the company declared as its handler, Valsamaras notes.

TikTok’s implementation of JavaScript interfaces in the app defined the impact of the vulnerability.

“While reviewing the app’s handling of a specific deeplink, we discovered several issues that, when chained together, could have been used to force the application to load an arbitrary URL to the application’s WebView,” writes Valsamaras.

SEE: What, exactly, is cybersecurity? And why does it matter?

Microsoft found “more than 70 exposed methods” when checking the functionality accessible to the JavaScript code in web pages loaded to WebView. Combining the vulnerability with the exposed methods can give attackers extra functionality to view and change users’ private data.

By invoking these methods, the attacker can nab the user’s authentication tokens by triggering a request to a controlled server and logging the cookie and the request headers. The attacker can also retrieve or modify the user’s TikTok account data, such as private videos and profile settings.

“In short, by controlling any of the methods able to perform authenticated HTTP requests, a malicious actor could have compromised a TikTok user account,” writes Valsamaras.

Microsoft more broadly believes that developers using JavaScript interfaces is a bad idea and poses significant risks because compromising that interface can potentially allow attackers to execute code using the app’s ID and privileges. Microsoft has previously detailed flaws caused by JavaScript interfaces in several popular Android apps.

Microsoft recommends developers instead use an “approved list of trusted domains to be loaded to the application’s WebView to prevent loading malicious or untrusted web content.”

Google has also published a page for Android app developers to remedy JavaScript Interface Injection vulnerabilities.

Leave a Comment