Member-only story
🚨One-Click Account Hijacking on TikTok
Free Article LInk
🔍 Discovered by: Microsoft Threat Intelligence
Read more → Here
📅 Date: August 31, 2022
🛠 CVE: CVE-2022–28799
🚨 Overview
Microsoft discovered a high-severity vulnerability in the TikTok Android app, which could have allowed attackers to hijack user accounts with a single click ⚠️. This flaw, if exploited, could let an attacker take full control of a victim’s account without their knowledge. Fortunately, TikTok quickly patched the issue, and no active exploitation was found.
🔥 How Attackers Could Exploit This
1️⃣ The vulnerability bypassed deeplink verification in the TikTok app. 2️⃣ Attackers could force the app to load a malicious URL inside the app’s WebView. 3️⃣ Through JavaScript bridges, the attacker could gain access to TikTok’s internal functionalities. 4️⃣ A victim only needed to click a specially crafted link for the attack to work 🎯.
Once exploited, the attacker could:
- Modify the user’s profile (e.g., change bio, delete content, upload videos 📹).
- Send messages on behalf of the user 📩.
- Make private videos public 🔓.
🔑 The Technical Breakdown
🖥️ JavaScript Interface Exploitation
The attack relied on TikTok’s use of JavaScript interfaces inside WebView:
- WebView allows apps to load web pages 📄.
- JavaScript interfaces provide a bridge between Java code and JavaScript.
- If an attacker injects malicious JavaScript, they can call internal Java methods inside TikTok 😱.
