Microsoft Finds Account Takeover Bug in TikTok

  • Security researchers have discovered a high severity vulnerability in TikTok’s Android app which could allow attackers to remotely hijack user accounts.

    Microsoft reported CVE-2022-28799 to the social media giant in February 2022, after which TikTok promptly fixed the issue. Although the app has an estimated 1.5 billion downloads on the Play Store, the bug has not yet been exploited in the wild, Microsoft claimed.

    “The vulnerability allowed the app’s deeplink verification to be bypassed,” explained Microsoft. “Attackers could force the app to load an arbitrary URL to the app’s WebView, allowing the URL to then access the WebView’s attached JavaScript bridges and grant functionality to attackers.”

    In fact, Microsoft identified over 70 exposed JavaScript methods which, when paired with an exploit to hijack WebView such as the discovered bug, could be used to grant functionality to the attackers.

    By doing so, attackers can:

    • Retrieve the user’s authentication tokens by triggering a request to a controlled server and logging the cookie and the request headers
    • Retrieve or modify the user’s TikTok account data by triggering a request to a TikTok endpoint and retrieving the reply via the JavaScript callback

    “Once the attacker’s specially crafted malicious link is clicked by the targeted TikTok user, the attacker’s server is granted full access to the JavaScript bridge and can invoke any exposed functionality,” Microsoft wrote in its proof of concept.

    “The attacker’s server returns an HTML page containing JavaScript code to send video upload tokens back to the attacker as well as change the user’s profile biography.”

    With full control over users’ accounts, attackers could change their profile details, send messages, upload videos and even publish private videos.