Security News > 2022 > September > Microsoft Discover Severe ‘One-Click’ Exploit for TikTok Android App

Microsoft Discover Severe ‘One-Click’ Exploit for TikTok Android App
2022-09-01 07:13

"Attackers could have leveraged the vulnerability to hijack an account without users' awareness if a targeted user simply clicked a specially crafted link," Dimitrios Valsamaras of the Microsoft 365 Defender Research Team said in a write-up.

Successful exploitation of the flaw could have permitted malicious actors to access and modify users' TikTok profiles and sensitive information, leading to the unauthorized exposure of private videos.

The issue, addressed in version 23.7.3, impacts two flavors of its Android app com.

Tracked as CVE-2022-28799, the vulnerability has to do with the app's handling of what's called a deeplink, a special hyperlink that allows apps to open a specific resource within another app installed on the device rather than directing users to a website.

Put simply, the flaw makes it possible to circumvent the apps's restrictions to reject untrusted hosts and load any website of the attacker's choice through the Android System WebView, a mechanism to display web content on other apps.

A consequence of this exploit designed to hijack WebView to load rogue websites is that it could permit the adversary to invoke over 70 exposed TikTok endpoints, effectively compromising a user's profile integrity.


News URL

https://thehackernews.com/2022/09/microsoft-discover-severe-one-click.html

Related Vulnerability

DATE CVE VULNERABILITY TITLE RISK
2022-06-02 CVE-2022-28799 Forced Browsing vulnerability in Tiktok
The TikTok application before 23.7.3 for Android allows account takeover.
network
low complexity
tiktok CWE-425
8.8

Related vendor

VENDOR LAST 12M #/PRODUCTS LOW MEDIUM HIGH CRITICAL TOTAL VULNS
Microsoft 365 50 1369 2820 161 4400