IT NEWS

Ireland’s Data Protection Commissioner (DPC), the lead regulator in Europe for Meta and other tech giants, has slapped Instagram with a fine of €405M—roughly equivalent to $402M—following an investigation on how the company handled children’s data. 

In the investigation that started in 2020, the DPC found Instagram had allowed children between the ages of 13 and 17 to operate business accounts. That meant their phone numbers and email addresses were made public, which is a clear violation of their privacy.

The DPC also found that some Instagram accounts owned by children were set as “public” by default, instead of “private.”

A spokesperson from Meta said in a statement:

“This inquiry focused on old settings that we updated over a year ago, and we’ve since released many new features to help keep teens safe and their information private. Anyone under 18 automatically has their account set to private when they join Instagram, so only people they know can see what they post, and adults can’t message teens who don’t follow them. We engaged fully with the DPC throughout their inquiry, and we’re carefully reviewing their final decision.”

A DPC spokesperson confirmed the fine with Reuters. He said that full details of the decision will be published next week.

This is the highest fine ever issued by the regulator, easily eclipsing the $267M fine to WhatsApp in 2021 and the $18.6M fine to Facebook in March 2022.

According to Politico, which first covered the story, the DPC has at least six investigations into other companies owned by Meta involving privacy violations.

QNAP (Quality Network Appliance Provider) has warned users to update Photo Station to the latest available version.

The warning comes after QNAP detected that cybercriminals known as DeadBolt have been exploiting a Photo Station vulnerability in order to encrypt QNAP NAS systems that are directly connected to the internet.

QNAP produces NAS (Network Attached Storage) devices, among other things. QNAP’s Photo Station is an online photo album that allows users to share photos and videos stored on their NAS with others over the internet. With Photo Station, users can drag and drop photos into virtual albums, which means they don’t have to create copies when they are needed in more than one album.

Deadbolt

The ransomware group responsible for this attack is generally known as DeadBolt. The name DeadBolt is also used in the file extension of the encrypted files that the group’s ransomware generates.

QNAP and DeadBolt have history. In January 2022, news broke that a ransomware group was targeting QNAP Network Attached Storage (NAS) devices. As a countermeasure, QNAP pushed out an automatic, forced, update with firmware containing the latest security updates to protect against the attackers’ DeadBolt ransomware, which annoyed part of its userbase.

The vulnerability

Little has been published about the vulnerability, except that the QNAP Product Security Incident Response Team (QNAP PSIRT) made the assessment and released the patched Photo Station app for the current version within 12 hours. All that was made clear is that the ransomware gang is exploiting a Photo Station vulnerability to encrypt QNAP NAS systems that are directly connected to the internet.

The vulnerability has been fixed in the following versions:

• QTS 5.0.1: Photo Station 6.1.2 and later
• QTS 5.0.0/4.5.x: Photo Station 6.0.22 and later
• QTS 4.3.6: Photo Station 5.7.18 and later
• QTS 4.3.3: Photo Station 5.4.15 and later
• QTS 4.2.6: Photo Station 5.2.14 and later

How to fix the QNAP Photo Station vulnerability

Update Photo Station to the latest available version or to switch to QuMagie.

Here’s how to update Photo Station:

• Log on to QTS (the QNAP NAS Operating System) as administrator.
• Open the App Center and then click the magnifying glass.
• A search box will appear. Enter “Photo Station”.
• Click Update and then OK.
• The application will be updated.

Note: The Update button is not available if your version is already up to date.

Do not connect your NAS directly to the internet. To enhance the security of your NAS, QNAP recommends users use the myQNAPcloud Link feature provided by QNAP, or enable the VPN service. Or you can use another VPN of your choice.

Last week on Malwarebytes Labs:

• Twilio data breach turns out to be more elaborate than suspected
• Playing Doom on a John Deere tractor with Sick Codes: Lock and Code S03E18
• Chromium browsers can write to the system clipboard without your permission
• British Airways customers targeted in lost luggage Twitter scam
• Final Fantasy 14 players targeted by QR code phishing
• How to set up an iPhone for your kids
• James Webb telescope images used to hide malware
• Malwarebytes receives highest rankings in recent third-party tests
• Controversial Kids’ Code aims to keep children safe online
• Data broker sued for allegedly selling individuals’ sensitive location data
• What is a keylogger?
• TikTok vulnerability could have allowed hijackers to take over accounts
• Apple releases security update for iPhones and iPads to address vulnerability

Stay safe!

Another Instagram phish is doing the rounds, and will appeal to a wide variety of platform users. Bleeping Computer reports that verified status is once again being dangled as bait.

The “importance” of being verified

Being verified gives the impression of status, or importance, on social media platforms. Often, verification is more about simply confirming that someone is in fact who they claim to be. There are many verified accounts out there for people you’ll not have heard of, and that’s perfectly fine. At the other end of the scale, it is definitely an additional status symbol for people who care about such things. It’s also very handy where confirming that high profile accounts are in fact the real deal.

Scammers know this, and bank on it on a daily basis. Indeed, a whole sub-industry of fake verification services exists to part people from their money (and, potentially, accounts).

It’s not just the scams on the platform itself you have to be wary of. It’s the messages bouncing around off-platform too.

The phish in motion

No fewer than 1,000 phishing messages per day were sent in this particular campaign, peaking at the end of July and early August. The mails, branded to resemble official Instagram / Facebook missives, read as follows:

Your Instagram account has been reviewed by us and has been deemed eligible for a blue badge. To get your blue badge, please click the badge form button below and fill the form carefully. Make sure you fill out the form correctly and completely. Otherwise, your account will not be verified. If you ignore this message, the form will be permanently deleted within 48 hours.

An interesting scam combo, here. The usual splash of time-related pressure to get something done “or else”. Add to this the suggestion that the hard part, actually getting verified in the first place, is all but done. All you have to do is click a button and essentially say “yes please”.

Sounds great. Sounds too good to be true. (Because it is.)

You won’t get something for nothing

The bogus website, adorned with several Facebook-centric logos, asks for username, password, email, and phone number. Anyone filling out the form and hitting submit is going to be very disappointed. The only winner here is the scammer, who now has everything they need to steal the victim’s Instagram account.

As highlighted by Instagram, notability—”Your account must represent a well-known, highly searched for person, brand or entity”—is a seemingly non-negotiable part of the verification deal. You won’t grab verification, no matter how many promises those dubious verification services make. 

If you’ve fallen for this, go and change your login details while there’s still time. Consider enabling Instagram’s two-factor authentication. You may be able to gain verification on other social media platforms even without what is considered to be a “notable” profile. As far as Instagram is concerned though, you’re just going to have to ignore those tempting email invitations.

Microsoft has posted a reminder on the Exchange Team blog that Basic authentication for Exchange Online will be disabled in less than a month, on October 1, 2022.

The first announcement of the change stems from September 20, 2019. With so much warning you might expect organizations to be ready, and many are. But there has been an entire pandemic since then, and no shortage of other things for Exchange users to worry about. So, as always, some aren’t ready.

Goodbye “Basic”, hello “Modern”

For many years, client apps have used Basic authentication to connect to servers, services and endpoints. It is enabled by default on most servers and services and it’s easy to set up. Basic authentication sends a username and a password with every request and does not require TLS. This can leave credentials being sent back and forth over the wire in plain text, making them easy to intercept. To make matters worse, according to Microsoft, using Basic authentication means “the enforcement of multifactor authentication (MFA) is not simple or in some cases, possible”—an absolute no-no for 2022.

Microsoft wants its customers to switch to Modern authentication (OAuth 2.0 token-based authorization). Modern authentication is an umbrella term for a combination of authentication and authorization methods between a client, like a laptop or a phone, and a server. It enables authentication features like multi-factor authentication (MFA), smart cards, certificate-based authentication (CBA), and third-party Security Assertion Markup Language (SAML) identity providers.

The schedule

The change will be implemented for MAPI, RPC, Offline Address Book (OAB), Exchange Web Services (EWS), POP, IMAP, Exchange ActiveSync (EAS), and Remote PowerShell. SMTP AUTH remains as is. For those using Reporting Web Service REST endpoint to get access to Message Tracking Logs and more, this service will continue to have Basic authentication enabled until December 31 2022.

To spread the workload, starting October 1, Microsoft will start to randomly select tenants and disable Basic authentication for the affected protocols. Users will receive a message seven days before, and receive Service Health Dashboard notifications to each tenant on the day of the change.

To avoid the pitfall of thinking your organization is ready, while you are not, there is a Basic authentication self-help diagnostic to be found in the Microsoft 365 admin center. Click the small green “?” symbol in the lower right hand corner of the screen and enter the phrase “Diag: Enable Basic Auth in EXO”. (Alternatively, the Microsoft blog article has button that will launch the diagnostics in Admin center for you.)

Escape and delay

If you are not ready for this change then Microsoft is offering customers the option to opt specific protocols out of the Basic authentication disablement temporarily. Be warned though, by January 2023 Basic authentication will be off for all protocols, no matter whether you opted out or not.

It is also worth considering that no matter how inconvenient this change might be, it is being done for very good security reasons, so we would advise you to switch to Modern authentication as soon as possible. We have reported about many phishing campaigns that are after your Microsoft login credentials and many other schemes to steal them. Basic authentication is simply no longer safe enough for such an important part of your businesses.

Are you ready? Let us know in the comments if anything is holding you back or whether you’ve been ready for years.

On Friday, Google announced the release of a new version of its Chrome browser that includes a security fix for a zero-day tracked as CVE-2022-3075. As with previous announcements, technical details about the vulnerability won’t be released until a certain number of Chrome users have already applied the patch.

Google is urging its Windows, Mac, and Linux users to update Chrome to version 105.0.5195.102.

CVE-2022-3075 is described as an “[i]nsufficient data validation in Mojo”. According to Chromium documents, Mojo is “a collection of runtime libraries” that facilitates interfacing standard, low-level interprocess communication (IPC) primitives. Mojo provides a platform-agnostic abstraction of these primitives, which comprise most of Chrome’s code.

An anonymous security researcher is credited for discovering and reporting the flaw.

CVE-2022-3075 is the sixth zero-day Chrome vulnerability Google had to address. The previous ones were:

• CVE-2022-0609, a Use-after-Free (UAF) vulnerability, which was patched in February
• CVE-2022-1096, a “Type Confusion in V8” vulnerability, which was patched in March
• CVE-2022-1364, a flaw in the V8 JavaScript engine, which was patched in April
• CVE-2022-2294, a flaw in the Web Real-Time Communications (WebRTC), which was patched in July
• CVE-2022-2856, an insufficient input validation flaw, which was patched in August

Google Chrome needs minimum oversight as it updates automatically. However, if you’re in the habit of not closing your browser or have extensions that may hinder Chrome from automatically doing this, please check your browser every now and then.

Once Chrome notifies you of an available update, don’t hesitate to download it. The patch is applied once you relaunch the browser.

Stay safe!

California has passed a bill designed to make the internet a safer place for children. The bill, commonly referred to as the “Kids’ Code”, has been passed by the State Senate. If signed by Gov. Gavin Newsom, it will spring into life.

What is it, and how is it designed to help children be safe online? Perhaps more importantly, why do some people feel the Code may not be all it’s cracked up to be?

From COPPA to Kid’s Code

The US has something called the Children’s Online Privacy Protection Act (COPPA for short). The act:

…imposes certain requirements on operators of websites or online services directed to children under 13 years of age, and on operators of other websites or online services that have actual knowledge that they are collecting personal information online from a child under 13 years of age.

For some time now, the Act has been criticised for having certain shortcomings. The primary issue for most folks is that COPPA is a grey area for teens. This is due to making use of aims which may not necessarily be designed for them. As COPPA is all about dealing with sites and services directly targeting children under 13, the moment an older child uses an app or service designed for someone younger, the COPPA wheels start to come off.

The Kids’ Code aims to fix that. From the text:

This bill would enact the California Age-Appropriate Design Code Act, which, commencing July 1, 2024, would, among other things, require a business that provides an online service, product, or feature likely to be accessed by children to comply with specified requirements, including a requirement to configure all default privacy settings offered by the online service, product, or feature to the settings that offer a high level of privacy, unless the business can demonstrate a compelling reason that a different setting is in the best interests of children, and providing to provide privacy information, terms of service, policies, and community standards concisely, prominently, and using clear language suited to the age of children likely to access that online service, product, or feature.

Extra safeguarding

Online services would need to begin adding additional safeguards for anyone under the age of 18. Although nothing would be in force until 2024, as noted above, requirements include:

• Defaulting to the highest possible privacy settings.

• Making it obvious if the child using a device is having their location monitored.

Advertising and profiling is a natural additional concern when children are involved. As a result, dark patterns would be prohibited. These are dubious design choices designed to lead unwary device owners to specific choices they may otherwise have avoided. It can be quite manipulative, so it’s a natural target for the bill.

Data Protection Impact Assessments (DPIAs) will also be required for any company which falls under the bill. DPIAs must take into consideration a variety of things, including, but not limited to :

…whether the design of the online product, service, or feature could harm children, including by exposing children to harmful, or potentially harmful, content on the online product, service, or feature,” and “whether the design of the online product, service, or feature could permit children to witness, participate in, or be subject to harmful, or potentially harmful, conduct on the online product, service, or feature.

This will likely require a huge amount of work to pin down correctly, especially for organisations with multiple products potentially in use by young children and teenagers. Is it feasible to be able to do this in time for 2024?

Some reasonable concerns…

Not everyone is entirely on board with the bill’s content. There are fears of mandatory age identification, and the suggestion that children will simply stop making use of new services. This is due to the possible drag effect of having to prove your age and identity on every website.

There is also the question of how, exactly, you verify a child’s age. What valid identification do they have? Could their age be determined by guesstimates due to biometric/facial scanning? The face scanning aspect of this, in particular, is not proving to be particularly popular:

I’ve been writing a lot about the awful, terrible, horrible, #CAKidsCode and how it would be dangerous for privacy with its age verification. But a trade association for the age verifiers reached out to say not to worry… they just want to scan everyone’s faces. Really.

— Mike Masnick (@mmasnick) August 29, 2022

All this additional verified data naturally paints a target on its own back for data theft and fraud attempts. Can the companies collecting and storing this data guarantee it will be properly secured? What happens if or when it’s stolen or leaked?

These are pretty big questions, and at the moment, we don’t really have all of the answers. All we can do is wait and see what direction the bill heads in next.

The Federal Trade Commission (FTC) has sued data broker Kochava for allegedly selling information that would allow for individuals’ whereabouts to be traced to sensitive locations. The information included location data from hundreds of millions of phones, including sensitive locations that could be tied to an individual.

And, while the name Kochava may not ring any bells, it actually has a sizeable footprint in the data collection industry. In its own words, Kochava is the industry leader for mobile app attribution and mobile app analytics, and its platform provides a comprehensive set of measurement and targeting tools for app marketers.

While we are all more or less aware that advertisers spend a lot of money to enhance their targeted advertising strategies, there are boundaries to what the FTC will allow.

Buy and sell

Kochava is a location data broker that provides precise geolocation data from consumers’ smartphones and also purchases similar data sets from other brokers in order to resell them to clients. These data feeds are often used by clients who want to analyze things like foot traffic at local stores or other locations. Not only does it show the exact location of mobile devices, they are also associated with a unique identifier, like a device ID, as well as other information, like an IP address, device type and more.

This means that an exact location can be traced back to a unique individual. Kochava even boasts that one of the possibilities of the datasets is to identify households, for example by tracking where the phones “stay at night”.

This is exactly one of the objections brought up by the FTC. The data is not anonymized and can be used to identify the mobile device’s user or owner. Another reason why this is possible is because other data brokers specifically sell services that work to match Mobile Advertising IDs with offline information, like consumers’ names and physical addresses.

Sensitive locations

One of the restrictions the FTC takes a hard stance on are sensitive locations. As we can read in the complaint, the Federal Trade Commission filed the lawsuit against Kochava for selling geolocation data from hundreds of millions of mobile devices that can be used to trace the movements of individuals to and from sensitive locations.

As examples of sensitive locations the FTC lists:

• reproductive health clinics
• places of worship
• homeless and domestic violence shelters
• addiction recovery facilities

Having such information revealed could expose people to threats of stigma, stalking, discrimination, job loss, and even physical violence, the FTC explained. In an earlier article, we explained why Google has promised to delete location data of trips to sensitive locations.

Ruling to follow

The FTC is taking Kochava to court to protect people’s privacy and halt the sale of their sensitive geolocation information. Earlier this month, the FTC announced that it is exploring rules to crack down on harmful commercial surveillance practices that collect, analyze, and profit from information about people. The FTC files a complaint when it has reason to believe that the named defendants are violating or are about to violate the law and it appears to the Commission that a proceeding is in the public interest.

According to Kochava’s management

“this lawsuit shows the unfortunate reality that the FTC has a fundamental misunderstanding of Kochava’s data marketplace business and other data businesses. Kochava operates consistently and proactively in compliance with all rules and laws, including those specific to privacy.”

The case will be decided by the court. The complaint was filed in the U.S. District Court for the District of Idaho, where Kochava is based.

A blog post published earlier this year posed the question “Is Grammarly a keylogger?” I have personally had people reference that post and ask me to add detection of Grammarly to Malwarebytes. The answer has always been, “no.” Whether or not you like what Grammarly does, Grammarly is not a keylogger, according to the way that term is used by the security industry.

This begs the question: exactly what is a keylogger, then?

A keylogger is anything that logs keystrokes, right?

Well, no. This is way too broad a definition, since there are countless programs installed on every computer on earth designed to capture and save your keystrokes. Any word processor, for example. For that matter, any productivity software, whether that be a word processor, a notepad, a spreadsheet, a slideshow app, etc. Even something as low level as a Terminal window will record everything you type in the command history.

Using a computer made in the last several decades is all about typing things in a keyboard, and some program doing something with all those button presses. There’s a tongue-in-cheek saying about a common piece of advice for avoiding phishing attacks: you can’t tell the user to stop clicking things on the thing-clicking machine. Similarly, if you’re going to blow the whistle at anything that captures your keystrokes, you’re fighting a losing battle.

Is it something that sends your keystrokes somewhere?

We’re getting closer, but still no. Think about the things you use every day. A web browser, for example. Every time you type a search in a browser, what you type is sent off to the search engine of your choosing (most likely Google). Plus, there are tons of websites that will save things you type on the server. Consider Google docs, for example. Everything you type in such a document in your browser gets sent off to Google.

The web browser isn’t the only guilty party, of course. Consider Apple’s Notes app. Depending on your settings, everything you type in the Notes app will be synced to iCloud. The same is true of Microsoft’s OneNote app. For that matter – again, depending on your settings – doing a Spotlight search on your Mac can send everything you type in the search bar to Apple.

This is clearly where Grammarly lies. It collects keystrokes and sends them off your device for the purpose of having their backend system check the grammar of what you typed. Would it be better if it could do all that on the device? Certainly, though I know nothing of the technical reasons why that decision was made. Would I personally use Grammarly? Not a chance. However, there are many people who need a grammar checker and like the features Grammarly offers.

Clearly, these things are all legitimate apps, offering legitimate functionality. This definition is still too broad to be useful.

Then what IS a keylogger?

A more useful definition would be:

A keylogger is a program that collects keystrokes and sends them to a third-party, solely for the benefit of that third-party.

The key differentiator between a keylogger and something more legitimate is that it’s not collecting your keystrokes for your benefit. Instead, someone else intends to use what you typed for some purpose of their own, nefarious or otherwise. However, within this definition, there are a few different types of keyloggers.

“Potentially unwanted” keyloggers

A keylogger may be identified as a “PUP” (which stands for “Potentially Unwanted Program”) if it’s software that is sold legally and openly. Such programs are often marketed as tools for monitoring your children or employees, and as such have a theoretical legitimate use. (I have some strongly negative opinions about the use of keylogging software for such purposes, but to each their own.)

However, such keyloggers are also very commonly misused. In reality, legitimate usage of such keyloggers is probably dwarfed by illegitimate usage. People with access to someone else’s device can install them without the owner’s knowledge for unsavory – even malicious – reasons. This is quite common with intimate partner abuse, stalking, workplace harassment, etc.

For this reason, most security software will detect these so-called “legitimate” keyloggers as PUPs. Malwarebytes, as a member of the Coalition Against Stalkerware, is certainly no exception.

Adware keyloggers

These keyloggers are things that collect keystrokes within certain contexts for the purposes of targeting you with ads, building a profile to better understand you as a target for ads, or as a means of better understanding the entire customer base. An example of the type of data that such a program might collect would be every search you enter in your browser and every site you visit (whether that’s by typing the address in the address bar or clicking a link). Such programs often go well beyond just logging keystrokes, and will collect things such as your browser history, browser of choice, software installed on your computer, your location, etc.

These programs will generally trick the user into installing them, using a variety of lures. The old fake Adobe Flash Player installer trick is one of the most common, even now, when Flash is long dead. Generally speaking, though, these are spread in the form of trojans: ie, programs the user is tricked into downloading and running.

Such programs are either malware or just shy of malware, depending on your definition. Either way, they serve no legitimate purpose for anyone other than shady advertisers and deserve to be deleted with extreme prejudice. The only good news is that it is not the intent of these programs to harm you (though poor data handling practices by shady adware companies definitely could cause harm regardless of intent).

Malicious keyloggers

The most concerning category of keyloggers. These are the ones without any supposed “legitimate” purpose, and are intended for nothing but to steal your information. Such keyloggers are often used to collect sensitive information, such as account credentials, credit card numbers, social security numbers, and more.

Malicious keyloggers get onto your machine through a variety of means. They could be trojans, often using a lure more convincing than a fake Flash installer. They could infect your machine through a browser vulnerability that allows arbitrary code to execute. (This is less common on Macs than on Windows, but is nonetheless an increasing problem for Mac users.)

Such malware has also been known to have been installed manually, by attackers who have gotten access to the machine somehow, via physical or remote access. In a well-known case, the creator of the FruitFly malware is known to have used passwords obtained from data breaches to gain access to victims’ Macs. He used a process called “credential stuffing,” in which a password obtained from one online account is used to attempt to log in to something else. Since so many people reuse passwords, this is unfortunately a fairly reliable strategy.

In the case of malicious keyloggers, the software is rarely limited to just capturing keystrokes. Most malicious spyware has keylogging capabilities as only a part of the complete package, also including – among other things – file collection, capture of the screen contents, capture of video and audio via the webcam and microphone, and even execution of arbitrary commands. Thus, most such malware is not referred to as a “keylogger,” but rather is called “spyware.”

How do I protect myself from keyloggers?

Obviously, one way to do so is to use some kind of antivirus software, such as Malwarebytes. If you think you might be being targeted by someone using a PUP keylogger, make sure that the software you use detects such software. Membership in the Coalition Against Stalkerware would be a good indication of that.

You can avoid some of the common means that attackers may use to install a keylogger on your device by making sure you use a strong login password on your computer. Make sure it’s one that nobody could guess, and don’t leave your computer logged in and unattended. If you need to share your computer with someone, don’t let them use your account on the computer. Instead, create a separate account for that person and do not give them admin privileges. (On a Mac, this can be done in System Preferences -> Users & Groups.)

When it comes to the more malicious stuff, be careful about what you download. If a website tells you that you need to install something to see its content, or tells you that you’re infected and that you need to install something to fix it, run away screaming. (If you’re in a public place, you may want to consider just closing the browser window, though; otherwise you may get strange looks.)

It’s also critically important to keep your system up-to-date. Doing so ensures that your system is protected against known vulnerabilities that could be used to infect your device. On a Mac, go to System Preferences -> Software Update and check the box reading Automatically keep my Mac up to date.

Doing these things is never a guarantee, but they will go a long way towards reducing the chances of ever being affected by a keylogger.

Microsoft has released a detailed rundown of an issue, now fixed, which was potentially dangerous for users of TikTok. The problem, flagged as a “high-severity vulnerability” by Microsoft, required several steps chained together in order to function. Attackers making use of it could have compromised accounts with one click.

From there, the standard rules of engagement for compromised accounts apply. Sending messages, uploading content, checking out sensitive information or looking at private videos; all of this and more would have been possible. Worse, Microsoft determined that both versions of the TikTok app on Android were vulnerable to this issue. That’s around 1.5 billion installations in total, so it’s just as well TikTok received word of the vulnerability in February of this year and it’s now fixed.

Shall we take a look?

What is a deeplink?

To ward off any possible confusion, deeplinks are completely unrelated to deepfakes.

This issue is pinned around TikTok’s deeplink verification. These deeplinks can make URLs function in a variety of different ways. As Engadget explains, hitting a Twitter embed on Chrome mobile which opens the Twitter app is an example of this working in practice.

Where this goes wrong is when someone finds a way to bypass this deeplink verification, and make URLs behave in unexpected ways. As it happens, our old friend JavaScript is the first step in the chain to exploit success.

The perils of JavaScript interface injection

Exploitation was dependent on how the app implemented JavaScript interfaces, provided by something called WebView in the Android operating system which is used to load and display web pages. Untrusted content loaded up in WebView left the app vulnerable to something called JavaScript interface injection. This could lead to corrupted data, leakage, and even arbitrary code execution.

Microsoft found that several of these issues chained together with regard to handling a specific deeplink could force loading of arbitrary ULRs to the app’s WebView.

The fixed exploit now lives on only as CVE-2022-28799:

The TikTok application before 23.7.3 for Android allows account takeover. A crafted URL (unvalidated deeplink) can force the com.zhiliaoapp.musically WebView to load an arbitrary website. This may allow an attacker to leverage an attached JavaScript interface for the takeover with one click.

Fixes and suggestions

Microsoft has the following advice for app developers required to dabble with JavaScript interfaces:

• Use the default browser to open URLs that don’t belong to the application’s approved list.

• Keep the approved list up to date and track the expiration dates of the included domains. This can prevent attackers from hijacking WebView by claiming an expired domain on the approved list.

• Avoid using partial string comparison methods to compare and verify a URL with the approved list of trusted domains.

• Avoid adding stage or internal network domains to the approved list as these domains could be spoofed by an attacker to hijack WebView.

It’s important to note that Microsoft has seen no evidence of this being exploited in the wild. There is no need for users to be panicking about this particular exploit. There are many threats out there for users of TikTok like phishing and social engineering. This one, however, can be set aside as a highly technical “close, but no cigar”.