TikTok vulnerability could have allowed hijackers to take over accounts

Microsoft has released a detailed rundown of an issue, now fixed, which was potentially dangerous for users of TikTok. The problem, flagged as a “high-severity vulnerability” by Microsoft, required several steps chained together in order to function. Attackers making use of it could have compromised accounts with one click.

From there, the standard rules of engagement for compromised accounts apply. Sending messages, uploading content, checking out sensitive information or looking at private videos; all of this and more would have been possible. Worse, Microsoft determined that both versions of the TikTok app on Android were vulnerable to this issue. That’s around 1.5 billion installations in total, so it’s just as well TikTok received word of the vulnerability in February of this year and it’s now fixed.

Shall we take a look?

What is a deeplink?

To ward off any possible confusion, deeplinks are completely unrelated to deepfakes.

This issue is pinned around TikTok’s deeplink verification. These deeplinks can make URLs function in a variety of different ways. As Engadget explains, hitting a Twitter embed on Chrome mobile which opens the Twitter app is an example of this working in practice.

Where this goes wrong is when someone finds a way to bypass this deeplink verification, and make URLs behave in unexpected ways. As it happens, our old friend JavaScript is the first step in the chain to exploit success.

The perils of JavaScript interface injection

Exploitation was dependent on how the app implemented JavaScript interfaces, provided by something called WebView in the Android operating system which is used to load and display web pages. Untrusted content loaded up in WebView left the app vulnerable to something called JavaScript interface injection. This could lead to corrupted data, leakage, and even arbitrary code execution.

Microsoft found that several of these issues chained together with regard to handling a specific deeplink could force loading of arbitrary ULRs to the app’s WebView.

The fixed exploit now lives on only as CVE-2022-28799:

The TikTok application before 23.7.3 for Android allows account takeover. A crafted URL (unvalidated deeplink) can force the com.zhiliaoapp.musically WebView to load an arbitrary website. This may allow an attacker to leverage an attached JavaScript interface for the takeover with one click.

Fixes and suggestions

Microsoft has the following advice for app developers required to dabble with JavaScript interfaces:

  • Use the default browser to open URLs that don’t belong to the application’s approved list.

  • Keep the approved list up to date and track the expiration dates of the included domains. This can prevent attackers from hijacking WebView by claiming an expired domain on the approved list.

  • Avoid using partial string comparison methods to compare and verify a URL with the approved list of trusted domains.

  • Avoid adding stage or internal network domains to the approved list as these domains could be spoofed by an attacker to hijack WebView.

It’s important to note that Microsoft has seen no evidence of this being exploited in the wild. There is no need for users to be panicking about this particular exploit. There are many threats out there for users of TikTok like phishing and social engineering. This one, however, can be set aside as a highly technical “close, but no cigar”.