One Click Hijack: Vulnerability in TikTok Android App?

Amidst the havoc that has been data breaches, another one bites the dust! Microsoft on Wednesday disclosed that they had found a high-severity flaw in the Android version of the TikTok app that gives hackers a free way to hijack a user's account with One SINGLE click.

The issue had apparently been reported to Tiktok back in February and was quickly fixed before it could be exploited. If it had not been detected on time, the bug would have affected the Android Tiktok app, which has around 1.5 Billion installations on Google Play.

"Attackers could have leveraged the vulnerability to hijack an account without users' awareness if a targeted user simply clicked a specially crafted link."

"Attackers could have then accessed and modified users' TikTok profiles and sensitive information, such as by publicizing private videos, sending messages, and uploading videos on behalf of users." Dimitrios Valsamaras of the Microsoft 365 Defender Research Team stated in the official Microsoft post addressing the issue.

The researchers identified more than 70 exposed ways while analyzing the functionality accessible to the JavaScript code in web pages loaded to WebView(A Component of the Android app that is used to display web content).

These exposed methods could help threat actors access Private information videos of users and modify them. By invoking such methods, an attacker can:

Retrieve the user's authentication tokens by triggering a request to a controlled server and logging the cookie and the request headers.
Retrieve or modify the user's TikTok account data, such as private videos and profile settings, by triggering a request to a TikTok endpoint and retrieving the reply via the JavaScript callback.

Remember the many times you've been reminded not to click unknown links, but sometimes you do them anyway, and suddenly everything's going haywire? Yes, that is what the fuss is all about!

With this vulnerability, the attackers would have been able to bypass the app's deeplink verification and force it to load arbitrary URLs to its web view. This would have given the attackers access to the web views javascript bridges and granted them control over the app.

The vulnerability was tracked to be CVE-2022-28799 which is associated with the deep link and how it is implemented. The CVSS (Common Vulnerability Scoring system), an open framework for communicating the severity of a software vulnerability, gave this vulnerability a score of 8.3 (according to the Microsoft post).

This CVSS score of 8.3 is considered a High Qualitative rating, meaning it needs to be addressed quickly!

#One Click

Dwelling on why all it would take for the issue to take over your app is One Click?

Well, the unvalidated deep link, which is a crafted URL, can cause the com.zhiliaoapp.musically Webview loads an arbitrary website which gives the attackers the leverage to take over the Javascript interface with One Click.

Want To Protect Yourself Against Such Future Vulnerabilities?

Listed below are the go-to methods to ensure you have done all you can to protect yourself from these security threats.

1) Keeping Your App Up to Date:

The unprecedented way to protect yourself from such vulnerabilities is to make sure that your app is up to date, which essentially means that you have to make sure that you have the latest version of the app downloaded on your mobile phone.

This is because an app only really updates its version when it either has added new features or fixed a bug. In any of the mentioned cases, downloading the latest version on your mobile phone would be wiser and more helpful.

2) Install the App From Official Sources:

Installing the app from an official source reassures you that it is the original version and the safest one at that.

When you download the app from untrustworthy sources, there is a high chance that it contains bugs and viruses that could leech onto your phone and access your private files and information. It is recommended to install the app from an official source.

3) Reporting Strange Behavior:

Another way you can protect yourself from such threats is if your app starts acting up. Your first course of action should be to file an official complaint on the Customer forum of the app.

When you do this, and if the app receives similar complaints from other users, it incentivizes them to fix such issues for a better user experience.

These are a few you can use on your end to ensure that you, as a user, are protected.

Are the Apps Becoming More Vulnerable?

Tiktok is only one of the many well-known apps facing such security issues lately.

Last year in itself was a string of various apps facing security and data breaches. A few notable ones are the Amazon Ring app, Apple's iMessage app, Slack messaging app, and many more.

With the kind of technological advancements in the world, you would think that such issues would be few and far between, but alas, these seem to come up more and more. And according to some sources, lately, apps are becoming more vulnerable to such attacks!