Security researchers at Microsoft found a high-severity vulnerability in TikTok that could have allowed hackers to launch an arbitrary website to steal data from the accounts of users with just a single click.
The technology company notified TikTok regarding the vulnerability in February 2022. Though vulnerability CVE-2022-28799 was fixed, users were asked to update the video hosting application to its latest version to avoid hacking attempts in the future.
Malicious links
According to the report, cyber attackers could create malicious links and send them to targeted TikTok users as the bug allowed the application’s “deeplink verification” to be bypassed. Once clicked, the link would give the hacker full access to the JavaScript bridge and allow them to send and retrieve data without the user’s knowledge via this vulnerability.
Elaborating on the flaw, the report explained how the hacker could have leveraged the vulnerability using TikTok’s JavaScript interface. WebView, a component of the Android operating system, provides the JavaScript interfaces and assists the application in displaying web pages. The hackers could use this to load untrusted web pages, and such exploitation could lead to data leaks, data corruption and arbitrary code execution on the application.
Range of exploitation
This vulnerability would also allow cyber attackers to access and modify user information. They could misuse sensitive details including pictures, videos, messages, etc. and sell or publish it online. Moreover, hackers could use the flaw to send messages in the name of the TikTok user and exploit social connections.
Using the flaw, attackers could perform authenticated HTTP requests and acquire user authentication tokens using cookies and other files. They could also trigger a request to a TikTok endpoint and retrieve the reply using JavaScript to perform various other unethical practices in any user account.
Developers take precaution
Using JavaScript interfaces poses several risks, and thus Microsoft security researchers urged developers to prepare against threats. The report recommended using trusted domains to avoid loading malicious and untrusted web content. End users were also encouraged to not click on untrusted links or web pages as phishing attacks are commonly used by hackers.
