Bug in Android version of TikTok allowed user accounts to be hacked

Microsoft has discovered a dangerous vulnerability in the Android version of the TikTok app. Experts note that the exploitation of the flaw allows attackers to gain control over user accounts, for this, it is enough to force the victim to follow a malicious link.

Dimitrios Valsamaras of the Microsoft 365 Defender Research team emphasizes that an attack can be carried out without the knowledge of the user. All a cybercriminal needs is a specially prepared link.

“Attackers can take control of a user’s account, and then change the account and pull out confidential information from there: closed videos, private messages, etc.,” adds Valsamaras.

The vulnerability lies in the Android WebView system component, which allows you to view web content inside the application. By the way, TikTok has recently been criticized because of the code, thanks to which the built-in browser can track user passwords and credit cards.

Using special JavaScript methods and an identified flaw in the Android version of TikTok, an attacker can access profiles on the popular social network, as well as make HTTP requests.

Moreover, the attacker will see authentication tokens, all information entered into the account, videos with limited access rights, and profile settings. HackerOne also mentioned this vulnerability.

The problem received the identifier CVE-2022-28799 , the developers fixed it with the release of TikTok version 23.7.3. According to Microsoft, attackers have not yet tried to use the gap in real cyber attacks.

Catch up on more articles here

Follow us on Twitter here


Must read


Related Posts