TikTok Account takeover bug

Researchers have discovered a vulnerability in TikTok’s Android app which could allow attackers to remotely hijack user accounts.

Tracked as  CVE-2022-28799, Microsoft reported the vulnerability to TikTok in February 2022, after which TikTok promptly fixed the issue. Although the app has an estimated 1.5 billion downloads on the Play Store, the bug has not yet been exploited in the wild.

Attackers could force the app to load an arbitrary URL to the app’s WebView, allowing the URL to then access the WebView’s attached JavaScript bridges and grant functionality to attackers and subsequently the verification to be bypassed.

Microsoft identified over 70 exposed JavaScript methods that, when paired with an exploit to hijack WebView such as the discovered bug, could be used to grant functionality to the attackers.

An attacker by exploiting the bug can retrieve the user’s authentication tokens by triggering a request to a controlled server and logging the cookie and the request headers and can be able to retrieve or modify the user’s TikTok account data by triggering a request to a TikTok endpoint and retrieving the reply via the JavaScript callbacks

Once the attacker’s specially crafted malicious link is clicked by the targeted TikTok user, the attacker’s server is granted full access to the JavaScript bridge and can invoke any exposed functionality. The attacker’s server returns an HTML page containing JavaScript code to send video upload tokens back to the attacker as well as change the user’s profile biography.

With complete access over users’ accounts, attackers could change their profile details, send messages, upload videos, and even publish private videos.