TikTok Account Takeover App Hack Only Needed 1 Click, Microsoft Says

If you use TikTok on an Android phone, make sure your app is up to date

Getty Images

Microsoft security researchers, part of the 365 Defender Research Team, discovered a serious vulnerability in the TikTok Android app that could enable 1-click account takeovers, according to an in-depth report published August 31.

The vulnerability, CVE-2022-28799, was rated 8.8 (high) and is described at the National Institute of Standards and Technology (NIST) as allowing “an attacker to leverage an attached JavaScript interface for the takeover with one click.”

MORE FROM FORBESLastPass Hacked: Password Manager With 25 Million Users Confirms BreachBy Davey Winder

One-click hack required exploit chain to be successful executed

To arrive at that 1-click execution, where the victim was compromised simply by clicking on a maliciously crafted link, the attacker would need to successfully combine a number of issues together first. Assuming this was achieved, the victim would, by clicking on that single link, give the attacker access to the TikTok user profile and the ability to publish videos and send messages, Microsoft reveals.

“The vulnerability allowed the app’s deeplink verification to be bypassed. Attackers could force the app to load an arbitrary URL to the app’s WebView,” Microsoft says, “allowing the URL to then access the WebView’s attached JavaScript bridges and grant functionality to attackers.” User login security was able to be bypassed by triggering a request to a controlled server in order to log cookie and request headers to grab the user’s TikTok authentication token.

MORE FROM FORBESGoogle Confirms New Attack Can Read All Gmail Messages: Iran Accounts TargetedBy Davey Winder

1.5 billion TikTok Android app users

With more than 1.5 billion TikTok for Android apps installed, combining both versions available globally, the potential impact of CVE-2022-28799 was deserving of that high rating. The Microsoft 365 Defender Research Team agreed, and a senior security researcher shared the details to TikTok by way of coordinated vulnerability disclosure in February 2022.

TikTok responded efficiently and effectively, updating the Android app to fix the problem. TikTok users who access it via Android are urged to check that their app has been updated and is protected against this security issue. App versions prior to 23.7.3 are impacted.

There’s more good news from Microsoft in that it was not aware of any active exploitation of CVE-2022-28799 before the app was updated.

Mitigation advice for similar attack methodologies

Dimitrios Valsamaras from the Microsoft 365 Defender Research Team recommends the following to defend against any similar security exploits:

Avoid clicking links from untrusted sources
Always keep the device and the installed applications updated
Never install applications from untrusted sources
Immediately report any strange application behavior to the vendor, such as setting changes triggered without user interaction.

MORE FROM FORBESNew Gmail Attack Bypasses Passwords And 2FA To Read All EmailBy Davey Winder

Stay connected with us on social media platform for instant update click here to join our T witter, & Facebook

We are now on Telegram. Click here to join our channel (@TechiUpdate) and stay updated with the latest Technology headlines.

For all the latest Technology News Click Here

Read original article here

Denial of responsibility! Rapidtelecast.com is an automatic aggregator around the global media. All the content are available free on Internet. We have just arranged it in one platform for educational purpose only. In each content, the hyperlink to the primary source is specified. All trademarks belong to their rightful owners, all materials to their authors. If you are the owner of the content and do not want us to publish your materials on our website, please contact us by email – [email protected]. The content will be deleted within 24 hours.