Microsoft has released a detailed description of a now-resolved issue that was potentially dangerous for TikTok users. Microsoft classified the issue as a “high-severity vulnerability,” requiring several steps to be chained together to function. Attackers who use it could compromise accounts with a single click.

The standard rules of engagement for compromised accounts apply from there. Sending messages, uploading content, inspecting sensitive information, or viewing private videos would have all been possible. Worse, Microsoft discovered that both Android versions of the TikTok app were vulnerable to this flaw. That amounts to approximately 1.5 billion installations in total, so it’s just as well. TikTok was notified of the vulnerability in February of this year, and it is now fixed.

Shall we take a look?

What is a deeplink?

To avoid any confusion, deeplinks have nothing to do with deepfakes.

This problem revolves around TikTok’s deeplink verification. These deeplinks can cause URLs to function in a variety of ways. According to Engadget, hitting a Twitter embed on Chrome mobile, which opens the Twitter app, is an example of this in action.

Where this goes wrong is when someone discovers a way to circumvent deeplink verification and cause URLs to behave unexpectedly. As it happens, our old pal JavaScript is the first link in the chain of success.

The perils of JavaScript interface injection

Exploitation was dependent on how the app implemented JavaScript interfaces, which were provided by the Android operating system’s WebView, which is used to load and display web pages. Untrusted content loaded in WebView made the app vulnerable to JavaScript interface injection. This may result in corrupted data, data leakage, and even arbitrary code execution.

Microsoft discovered that when several of these issues related to handling a specific deeplink were chained together, they could force the loading of arbitrary ULRs into the app’s WebView.

The fixed exploit is known as CVE-2022-28799:

Account takeover is possible in the TikTok app for Android prior to 23.7.3. A crafted URL (an unvalidated deeplink) can cause the com.zhiliaoapp.musically WebView to load any website. This may allow an attacker to leverage an attached JavaScript interface for a one-click takeover.

Fixes and suggestions

Microsoft offers the following advice to app developers who must work with JavaScript interfaces:

  • Use the default browser, to open URLs, which are not proved by the application.
  • Maintain the approved list and track the expiration dates of the included domains. This can prevent attackers from claiming an expired domain on the approved list and hijacking WebView.
  • When comparing and verifying a URL with the approved list of trusted domains, avoid using partial string comparison methods.
  • Avoid adding stage or internal network domains to the approved list because an attacker could spoof these domains to hijack WebView.

It’s worth noting that Microsoft has found no evidence of this being used in the wild. There is no need for users to panic about this particular exploit. There are numerous threats for TikTok users, such as phishing and social engineering. This one, on the other hand, can be classified as a highly technical “close, but no cigar.”

Reference