The flaw was in the deeplink verification process of the app.
Microsoft announced on Wednesday that it had discovered a vulnerability in TikTok’s Android app that could allow attackers to hijack accounts by simply clicking on an erroneous link. The software maker stated that it notified TikTok of the vulnerability in February and that the China-based social media company has since fixed the flaw, which has been assigned the identifier CVE-2022-28799.
The flaw was in how the app validated deeplinks, which are Android-specific hyperlinks for accessing individual components within a mobile app. Deeplinks must be declared in an app’s manifest for use outside of the app, so that someone who clicks on a TikTok link in a browser has the content opened in the TikTok app automatically.
A URL domain’s validity can also be cryptographically declared by an app. TikTok, for example, declares the domain m.tiktok.com. Normally, the TikTok app will allow content from tiktok.com to be loaded into its WebView component but will not allow content from other domains to be loaded into WebView.
The researchers wrote, “The vulnerability allowed the app’s deeplink verification to be bypassed.” “Attackers could force the app to load an arbitrary URL to the app’s WebView, which would allow the URL to access the WebView’s attached JavaScript bridges and grant attackers functionality.”
The researchers then developed a proof-of-concept exploit that did exactly that. It entailed sending a malicious link to a specific TikTok user, which when clicked obtained the authentication tokens required by TikTok servers for users to prove ownership of their account. The PoC link also changed the text in the targeted user’s profile bio to “!! SECURITY BREACH!!”
“Once the targeted TikTok user clicks on the attacker’s specially crafted malicious link, the attacker’s server, https://www.attacker[.]com/poc, is granted full access to the JavaScript bridge and can invoke any exposed functionality,” the researchers wrote. “The attacker’s server returns an HTML page containing JavaScript code that allows the attacker to send video upload tokens back to the attacker and change the user’s profile biography.”
According to Microsoft, there is no evidence that the vulnerability was actively exploited in the wild.