• World CyberCon India
Firewall Daily Main Story Vulnerabilties

Microsoft Spots TikTok Flaw That Compromises Account with One Click

The TikTok vulnerability could allow cyber attackers to access, modify and misuse sensitive details including pictures, videos, messages, and more.

Microsoft Spots TikTok Flaw That Compromises Account with One Click
  • PublishedSeptember 1, 2022

Security researchers at Microsoft found a high-severity vulnerability in TikTok that could have allowed hackers to launch an arbitrary website to steal data from the accounts of users with just a single click.

The technology company notified TikTok regarding the vulnerability in February 2022. Though vulnerability CVE-2022-28799 was fixed, users were asked to update the video hosting application to its latest version to avoid hacking attempts in the future.

Malicious links

According to the report, cyber attackers could create malicious links and send them to targeted TikTok users as the bug allowed the application’s “deeplink verification” to be bypassed. Once clicked, the link would give the hacker full access to the JavaScript bridge and allow them to send and retrieve data without the user’s knowledge via this vulnerability.

Elaborating on the flaw, the report explained how the hacker could have leveraged the vulnerability using TikTok’s JavaScript interface. WebView, a component of the Android operating system, provides the JavaScript interfaces and assists the application in displaying web pages. The hackers could use this to load untrusted web pages, and such exploitation could lead to data leaks, data corruption and arbitrary code execution on the application.

Range of exploitation

This vulnerability would also allow cyber attackers to access and modify user information. They could misuse sensitive details including pictures, videos, messages, etc. and sell or publish it online. Moreover, hackers could use the flaw to send messages in the name of the TikTok user and exploit social connections.

Using the flaw, attackers could perform authenticated HTTP requests and acquire user authentication tokens using cookies and other files. They could also trigger a request to a TikTok endpoint and retrieve the reply using JavaScript to perform various other unethical practices in any user account.

Developers take precaution

Using JavaScript interfaces poses several risks, and thus Microsoft security researchers urged developers to prepare against threats. The report recommended using trusted domains to avoid loading malicious and untrusted web content. End users were also encouraged to not click on untrusted links or web pages as phishing attacks are commonly used by hackers.

Written By

The Cyber Express is a publication that aims to provide the latest news and analysis about the information security industry. The news comes from a variety of sources and is updated regularly so that readers can stay up to date with the latest happenings in this rapidly growing field.