You can now find Cyber Kendra on Google News!

Hacking TikTok Account With Just a Single Link

Microsoft has found a severe one-click vulnerability in the TikTok Android app

Hacking TikTok Account With Just a Single Link

Microsoft disclosed a high-severity one-click vulnerability in the TikTok Android application, that allows hackers to hack into anyone's TikTok account with just a link

Microsoft noted that the vulnerability has been fixed and it does not appear that anyone has been affected by the exploit. Attackers could have leveraged the vulnerability to hijack an account without users’ awareness if a targeted user simply clicked a specially crafted link. 

Hackers need to require several issues to be chained together to exploit the bug.  With the successful exploitation of the vulnerability, attackers gain access to the user profiles, allowing them to publicize private videos, send messages, and even upload videos on behalf of users.  

The vulnerability allowed the app’s deeplink verification to be bypassed. Attackers could force the app to load an arbitrary URL to the app’s WebView, allowing the URL to then access the WebView’s attached JavaScript bridges and grant functionality to attackers. Microsoft wrote.

An exploit has been found in TikTok's WebView functionality which allows attackers to bypass deep linking verification. When users click a link, the URL can access JavaScript bridges that provide attackers with access to the account.

Interaction between Java and web components using the JavaScript interface
Interaction between Java and web components using the JavaScript interface

Microsoft security researcher notified TikTok of the issues in February 2022, as part of its responsible disclosure policy through Coordinated Vulnerability Disclosure (CVD). TikTok quickly responded by releasing a fix to address the reported vulnerability which is now identified as CVE-2022-28799. 

According to the Google play store, there are 1.5 billion TikTok users and all of them are affected by the vulnerability. 

The vulnerability is actually a combination of several individual issues that when combined together could potentially give attackers access to these accounts. Microsoft shares everything they learned and how they discovered the exploit in detail on their blog.

Post a Comment