Microsoft found a vulnerability in TikTok that allowed one-click account reconciliations

Microsoft said Wednesday that it recently identified a vulnerability in TikTok’s Android app that could allow attackers to hijack accounts when users do nothing more than click a single wrong link. The software maker said it notified TikTok of the vulnerability in February and that the China-based social media company has since fixed the flaw, which is tracked as CVE-2022-28799.

The vulnerability lies in how the app checks for what are known as deep links, which are Android-specific hyperlinks to access individual components within a mobile application. Deep links must be declared in the app manifest for use outside the app, so, for example, a person who clicks on a TikTok link in the browser has the content automatically opened in the TikTok app.

The app can also cryptically announce the validity of a URL domain. TikTok on Android, for example, advertises the domain m.tiktok.com. Normally, TikTok will allow content from tiktok.com to be loaded into its WebView component but prevent WebView from loading content from other domains.

“The vulnerability allowed the application’s deep link verification to be bypassed,” the researchers wrote. “Attackers can force the application to load a random URL into the application’s WebView, which then allows the URL to access JavaScript bridges attached to the WebView and grant functionality to the attackers.”

Researchers continued to create a proof-of-concept exploit that did just that. It involved sending a malicious link to a targeted TikTok user, which, when clicked, obtained the authentication codes that TikTok servers require for users to verify ownership of their account. The PoC linker also changed the bio of the target user’s profile to display the text “!! SECURITY BREACH!!”

Once the malicious link designed specifically for the attacker is clicked by the targeted TikTok user, the attacker’s server, https://www.attacker[.]com/poc, is given full access to the JavaScript bridge and can call any exposed function,” the researchers wrote. The attacker’s server returns an HTML page containing JavaScript code to send the video upload codes to the attacker as well as change a bio.”

Microsoft said it had no evidence that the vulnerability was actively exploited in the wild.