Microsoft experts said that back in February of this year, they discovered “an easy way to hack TikTok” – a serious vulnerability (CVE-2022-28799) in the TikTok application for Android.Let me remind you that we also wrote that Vulnerabilities in TikTok Allowed One-Click Accounts Hacking.
The bug allowed attackers to instantly take over other people’s accounts, immediately after the victim clicked on a special malicious link.
The issue affected two versions of the Android app: com.ss.android.ugc.trill (for users in East and Southeast Asia) and com.zhiliaoapp.musically (for users in countries other than India, where TikTok is banned). Together, vulnerable applications accounted for more than 1.5 billion installations.
The vulnerability was associated with the processing of so-called deeplinks, special hyperlinks that allow applications to open certain resources in other applications, rather than directing users to the site.
That is, the vulnerability allowed to bypass restrictions that untrusted hosts should reject and allow loading of any site through a WebView of the attacker’s choice.
As a result, the following opportunities opened up before the hacker:
- obtaining the victim’s authentication tokens (by sending a request to a server under the hacker’s control, intercepting cookies and request headers);
Since researchers reported this problem to TikTok developers back in the spring, the Chinese social network has already fixed the vulnerability in version 23.7.3. Microsoft reports that they are not aware of cases of exploitation of this bug by hackers.
User Review( votes)