Security News > 2022 > September > Microsoft Discover Severe ‘One-Click’ Exploit for TikTok Android App
"Attackers could have leveraged the vulnerability to hijack an account without users' awareness if a targeted user simply clicked a specially crafted link," Dimitrios Valsamaras of the Microsoft 365 Defender Research Team said in a write-up.
Successful exploitation of the flaw could have permitted malicious actors to access and modify users' TikTok profiles and sensitive information, leading to the unauthorized exposure of private videos.
The issue, addressed in version 23.7.3, impacts two flavors of its Android app com.
Tracked as CVE-2022-28799, the vulnerability has to do with the app's handling of what's called a deeplink, a special hyperlink that allows apps to open a specific resource within another app installed on the device rather than directing users to a website.
Put simply, the flaw makes it possible to circumvent the apps's restrictions to reject untrusted hosts and load any website of the attacker's choice through the Android System WebView, a mechanism to display web content on other apps.
A consequence of this exploit designed to hijack WebView to load rogue websites is that it could permit the adversary to invoke over 70 exposed TikTok endpoints, effectively compromising a user's profile integrity.
News URL
https://thehackernews.com/2022/09/microsoft-discover-severe-one-click.html
Related Vulnerability
DATE | CVE | VULNERABILITY TITLE | RISK |
---|---|---|---|
2022-06-02 | CVE-2022-28799 | Forced Browsing vulnerability in Tiktok The TikTok application before 23.7.3 for Android allows account takeover. | 8.8 |