The flaw was in the deeplink verification process of the app.
Microsoft announced on Wednesday that it had discovered a vulnerability in TikTok’s Android app that could allow attackers to hijack accounts by simply clicking on an erroneous link. The software maker stated that it notified TikTok of the vulnerability in February and that the China-based social media company has since fixed the flaw, which has been assigned the identifier CVE-2022-28799.
The flaw was in how the app validated deeplinks, which are Android-specific hyperlinks for accessing individual components within a mobile app. Deeplinks must be declared in an app’s manifest for use outside of the app, so that someone who clicks on a TikTok link in a browser has the content opened in the TikTok app automatically.
A URL domain’s validity can also be cryptographically declared by an app. TikTok, for example, declares the domain m.tiktok.com. Normally, the TikTok app will allow content from tiktok.com to be loaded into its WebView component but will not allow content from other domains to be loaded into WebView.
The researchers then developed a proof-of-concept exploit that did exactly that. It entailed sending a malicious link to a specific TikTok user, which when clicked obtained the authentication tokens required by TikTok servers for users to prove ownership of their account. The PoC link also changed the text in the targeted user’s profile bio to “!! SECURITY BREACH!!”
According to Microsoft, there is no evidence that the vulnerability was actively exploited in the wild.