Microsoft Discovered an Easy Way to Hack TikTok for Android

by Emma Davis
September 2, 2022
easy way to hack TikTok
Written by Emma Davis

Microsoft experts said that back in February of this year, they discovered “an easy way to hack TikTok” – a serious vulnerability (CVE-2022-28799) in the TikTok application for Android.

Let me remind you that we also wrote that Vulnerabilities in TikTok Allowed One-Click Accounts Hacking.

The bug allowed attackers to instantly take over other people’s accounts, immediately after the victim clicked on a special malicious link.

Attackers could use the vulnerability to take over an account without user’s awareness, if the target simply clicked on a specially crafted link. The attackers could then access sensitive information and modify the TikTok user’s profiles, such as posting private videos, sending messages, and uploading videos on behalf of the victim.Microsoft 365 Defender experts say.

The issue affected two versions of the Android app: com.ss.android.ugc.trill (for users in East and Southeast Asia) and com.zhiliaoapp.musically (for users in countries other than India, where TikTok is banned). Together, vulnerable applications accounted for more than 1.5 billion installations.

The vulnerability was associated with the processing of so-called deeplinks, special hyperlinks that allow applications to open certain resources in other applications, rather than directing users to the site.

A specially crafted URL (deeplink without validation) could cause the com.zhiliaoapp.musically WebView to load an arbitrary site. This allowed the attacker to use the JavaScript interface to take over the account with just one click.the Microsoft report says.

That is, the vulnerability allowed to bypass restrictions that untrusted hosts should reject and allow loading of any site through a WebView of the attacker’s choice.

Filtering is performed on the server side, and the decision to load or reject a URL is based on the response received after a particular HTTP GET request. Server-side checks can be bypassed by adding two additional parameters to the deeplink.the researchers write.

The experts write that simply clicking on a link revealed more than 70 JavaScript methods that an attacker could abuse using an exploit designed to attack the WebView in the TikTok app. As a result, the attacker could access or change the personal information of the TikTok user, as well as execute authenticated HTTP requests.

As a result, the following opportunities opened up before the hacker:

  1. obtaining the victim’s authentication tokens (by sending a request to a server under the hacker’s control, intercepting cookies and request headers);
  2. Retrieve or modify TikTok account data, including private videos and profile settings (by sending a request to the TikTok endpoint and receiving a response via a JavaScript callback).

Since researchers reported this problem to TikTok developers back in the spring, the Chinese social network has already fixed the vulnerability in version 23.7.3. Microsoft reports that they are not aware of cases of exploitation of this bug by hackers.

Sending
User Review
0 (0 votes)
Comments Rating 0 (0 reviews)

About the author

Emma Davis

I'm writer and content manager (a short time ago completed a bachelor degree in Marketing from the Gustavus Adolphus College). For now, I have a deep drive to study cyber security.

View all posts

Leave a Reply

Sending