Microsoft has released a detailed description of a now-resolved issue that was potentially dangerous for TikTok users. Microsoft classified the issue as a “high-severity vulnerability,” requiring several steps to be chained together to function. Attackers who use it could compromise accounts with a single click.
The standard rules of engagement for compromised accounts apply from there. Sending messages, uploading content, inspecting sensitive information, or viewing private videos would have all been possible. Worse, Microsoft discovered that both Android versions of the TikTok app were vulnerable to this flaw. That amounts to approximately 1.5 billion installations in total, so it’s just as well. TikTok was notified of the vulnerability in February of this year, and it is now fixed.
Shall we take a look?
What is a deeplink?
To avoid any confusion, deeplinks have nothing to do with deepfakes.
This problem revolves around TikTok’s deeplink verification. These deeplinks can cause URLs to function in a variety of ways. According to Engadget, hitting a Twitter embed on Chrome mobile, which opens the Twitter app, is an example of this in action.
Microsoft discovered that when several of these issues related to handling a specific deeplink were chained together, they could force the loading of arbitrary ULRs into the app’s WebView.
The fixed exploit is known as CVE-2022-28799:
Fixes and suggestions
- Use the default browser, to open URLs, which are not proved by the application.
- Maintain the approved list and track the expiration dates of the included domains. This can prevent attackers from claiming an expired domain on the approved list and hijacking WebView.
- When comparing and verifying a URL with the approved list of trusted domains, avoid using partial string comparison methods.
- Avoid adding stage or internal network domains to the approved list because an attacker could spoof these domains to hijack WebView.
It’s worth noting that Microsoft has found no evidence of this being used in the wild. There is no need for users to panic about this particular exploit. There are numerous threats for TikTok users, such as phishing and social engineering. This one, on the other hand, can be classified as a highly technical “close, but no cigar.”