John Paul M. Joaquin Tech 08.31.2022 23:Aug PM EDT

Microsoft Reports TikTok Android App Flaw That Lets Hackers Take Over Accounts

Cybercriminals might have used TikTok's Android app to harm the app's users.

Microsoft has reportedly found and revealed a high-security vulnerability in TikTok's android app that hackers and cybercriminals may have used to access and modify users' accounts and sensitive information, per Bleeping Computer.

As for now, the security risk has since been patched in an earlier update, but Microsoft has yet to find evidence of hackers and cybercriminals exploiting it.

TikTok High-Security Flaw Details

Microsoft 365 Defender Research Team Senior Security Researcher Dimitrios Valsamaras mentioned in a blog post that TikTok's Android app has a critical flaw that lets cybercriminals "quickly and quietly" take over accounts with just a click of a "specially crafted" link.

He also mentioned that TikTok Android app users in East and Southeast Asia are especially vulnerable as the issue affects both versions, meaning that 1.5 billion people might have been in danger.

HackerOne mentioned in its article that the vulnerability was found on TikTok's Android app through an un-validated deep link on an unsanitized parameter.

The security vulnerability, tracked as CVE-2022-28799, allowed hackers and cybercriminals to access and modify users' accounts and sensitive information using a malicious link sent by suspicious emails.

Normally, hackers and cybercriminals single out a potential target before sending the malicious link.

Clicking the suspicious link will connect the victim's computer to the hacker's server, https://www.attacker[.]com/poc, which will open more than 70 JavasScript methods that could force the com.zhiliaoapp.musically WebView to load an arbitrary site, per the National Institute of Standard and Technology (NIST).

Using the aforementioned methods, hackers and cybercriminals could take over the victim's TikTok account and do either of the following actions:

Retrieve the victim's authentication tokens by triggering a request to a server under the hacker's control and logging the cookie and the request headers
Collect or change the victim's TikTok account data, including private videos and profile settings by executing a request to a TikTok endpoint and getting the reply using the JavaScript callback.

Afterward, the message "!! SECURITY BREACH !!!: will be set in the user's profile biography.

Thankfully, the vulnerability has been patched out with TikTok's V23.7.3 update. However, since it was only patched out in mid-August and the vulnerability was discovered in February, some people might have been affected by the flaw already.

Microsoft has yet to find a case wherein a TikTok user has been affected by the vulnerability in question.

How To Avoid Similar Vulnerabilities Like CVE-2022-28799

CVE-2022-28799, just like with any WebView Hijacking vulnerability, is dependent on the victim clicking on a malicious link sent through a suspicious email or user. As such, to avoid being affected by such a vulnerability, Microsoft advises people to always avoid clicking links from untrusted sources and keep their devices and installed applications updated.

Additionally, installing apps from untrusted sources presents a security risk. Doing background research on the company offering the app will do the trick on this one.

Finally, if an app's behavior is strange, such as setting changes without user interaction, people should immediately report the changes to the vendor.