Microsoft said Wednesday that it recently identified a vulnerability in TikTok’s Android app that could allow attackers to hijack accounts if users click just a single broken link. The software maker said it notified TikTok of the vulnerability in February and that the China-based social media company has since fixed the bug, tracked as CVE-2022-28799.
The vulnerability was how the app verified so-called deep links, which are Android-specific hyperlinks for accessing individual components within a mobile app. Deep links must be declared in an app’s manifest for use outside of the app so that, for example, someone who clicks on a TikTok link in a browser automatically opens the content in the TikTok app.
An app can also cryptographically declare the validity of a URL domain. For example, TikTok on Android declares the domain m.tiktok.com. Normally, TikTok app allows content from tiktok.com to be loaded in its WebView component, but forbids WebView to load content from other domains.
Researchers went on to create a proof-of-concept exploit that did just that. It involved sending a targeted TikTok user a malicious link that, when clicked, would receive the authentication tokens that TikTok servers need to allow users to prove ownership of their accounts. The PoC link also changed the target user’s profile bio to include the text “!!SECURITY BREACH!!”
Microsoft said it had no evidence the vulnerability was actively being exploited in the wild.
This article was previously published on Source link