

TikTok Users Were Vulnerable to a Single-Click Attack
source link: https://www.wired.com/story/tiktok-android-app-deep-link-vulnerability/
Go to the source link to view the article. You can view the picture content, updated content and better typesetting reading experience. If the link is broken, please click the button below to view the snapshot at that time.

TikTok Users Were Vulnerable to a Single-Click Attack

Microsoft said on August 31 that it recently identified a vulnerability in TikTok's Android app that could allow attackers to hijack accounts when users did nothing more than click on a single errant link. The software maker said it notified TikTok of the vulnerability in February and that the China-based social media company has since fixed the flaw, which is tracked as CVE-2022-28799.
The vulnerability resided in how the app verified what’s known as deep links, which are Android-specific hyperlinks for accessing individual components within a mobile app. Deep links must be declared in an app’s manifest for use outside of the app—so, for example, someone who clicks on a TikTok link in a browser has the content automatically opened in the TikTok app.
An app can also cryptographically declare the validity of a URL domain. TikTok on Android, for instance, declares the domain m.tiktok.com. Normally, the TikTok app will allow content from tiktok.com to be loaded into its WebView component but forbid WebView from loading content from other domains.
Featured Video
“The vulnerability allowed the app’s deep link verification to be bypassed,” the researchers wrote. “Attackers could force the app to load an arbitrary URL to the app’s WebView, allowing the URL to then access the WebView’s attached JavaScript bridges and grant functionality to attackers.”
The researchers went on to create a proof-of-concept exploit that did just that. It involved sending a targeted TikTok user a malicious link that, when clicked, obtained the authentication tokens that TikTok servers require for users to prove ownership of their account. The link also changed the targeted user’s profile bio to display the text "!! SECURITY BREACH !!"
“Once the attacker’s specially crafted malicious link is clicked by the targeted TikTok user, the attacker’s server, https://www.attacker[.]com/poc, is granted full access to the JavaScript bridge and can invoke any exposed functionality,” the researchers wrote. “The attacker’s server returns an HTML page containing JavaScript code to send video upload tokens back to the attacker as well as change the user’s profile biography.”
Microsoft said it has no evidence the vulnerability was actively exploited in the wild.
This story originally appeared on Ars Technica.
Recommend
-
180
CVE 2017 8295 discovered by Dawid Golunski, Medium/High vulnerability still not fixed in 4.8.1. This issue has been reported to WordPress security team multiple times with the first report sent back in July 2016. It was reported both directly vi...
-
24
Image: Citrix Ubiquiti Networks is working on a fix for a newly discovered security issue a...
-
4
AMD admits that Zen 3 CPUs are vulnerable to a new Spectre-style attack Again? By
-
6
@maxiiJaydev JoshiLerner | Infosec | OSINT
-
6
Report: 50% of all web applications were vulnerable to attacks in 2021 Image Credit: metamorworks // Getty Images Join today's le...
-
7
One-click attack nima? XSRF/CSRF (one-click attack) hujumlar deb bir zararli saytdan turib boshqa saytga hujum qilinishga aytiladi. Quyidagi holatga...
-
11
Wyze cameras were vulnerable to strangers watching your feed for years By Will Sattelberg Published 18 hours ago
-
4
News Are Apple’s Chips Vulnerable? Investigating a New Side Channel Attack 7 hours ago by Jake Hertz As chip security becomes a g...
-
9
Your iPhone Is Vulnerable to a Malware Attack Even When It’s OffResearchers found a way to exploit the tech that enables Apple’s Find My feature, which could allow attackers to track location when a dev...
-
10
Beware: Almost all AMD Ryzen chips found vulnerable to side-channel SQUIP attacks...
About Joyk
Aggregate valuable and interesting links.
Joyk means Joy of geeK