A newly reported "high severity vulnerability" in the TikTok app for Android could have allowed Hackers to take over accounts.

Microsoft on Wednesday disclosed details of a now-patched "high severity vulnerability" in the TikTok app for Android that could let attackers take over accounts when victims clicked on a malicious link.

"Attackers could have leveraged the vulnerability to hijack an account without users' awareness if a targeted user simply clicked a specially crafted link," Dimitrios Valsamaras of the Microsoft 365 Defender Research Team said in a write-up.

Successful exploitation of the flaw could have permitted malicious actors to access and modify users' TikTok profiles and sensitive information, leading to the unauthorized exposure of private videos. Attackers could also have abused the bug to send messages and upload videos on behalf of users.

The issue, addressed in version 23.7.3, impacts two flavors of its Android app com.ss.android.ugc.trill (for East and Southeast Asian users) and com.zhiliaoapp.musically (for users in other countries except for India, where it's banned). Combined, the apps have more than 1.5 billion installations between them.

Tracked as CVE-2022-28799 (CVSS score: 8.8), the vulnerability has to do with the app's handling of what's called a deeplink, a special hyperlink that allows apps to open a specific resource within another app installed on the device rather than directing users to a website.

"A crafted URL (unvalidated deeplink) can force the com.zhiliaoapp.musically WebView to load an arbitrary website," according to an advisory for the flaw. "This may allow an attacker to leverage an attached JavaScript interface for the takeover with one click."

Put simply, the flaw makes it possible to circumvent the apps's restrictions to reject untrusted hosts and load any website of the attacker's choice through the Android System WebView, a mechanism to display web content on other apps.

"The filtering takes place on the server-side and the decision to load or reject a URL is based on the reply received from a particular HTTP GET request," Valsamaras explained, adding the static analysis "indicated that it is possible to bypass the server-side check by adding two additional parameters to the deeplink."

A consequence of this exploit designed to hijack WebView to load rogue websites is that it could permit the adversary to invoke over 70 exposed TikTok endpoints, effectively compromising a user's profile integrity. There's no evidence that the bug has been weaponized in the wild.

"From a programming perspective, using JavaScript interfaces poses significant risks," Microsoft noted. "A compromised JavaScript interface can potentially allow attackers to execute code using the application's ID and privileges."

Comments

UGANDA ELECTORAL COMMISSION TO ELIMINATE NATIONAL IDENTIFICATION CARDS (IDs) FOR 2021 GENERAL ELECTIONS.

The elimination of using National IDs (Ndagamuntu) for the 2021 elections should not have come as a surprise. One would be very NAIVE to think that Bobi Wine has not prepared for this in his Business Plan under the RISK section. It is public knowledge that our EC is not independent. It is also public knowledge that Military Dictator Yoweri Museveni will never lose an election. What stunned us this morning is when we noticed that on social media, people were mocking Bobi with his "get your Ndagamuntu". We are on record for saying to all Our readers that the National ID is like Apartheid in South Africa. Students of History would know how those IDs were being used to arrest people, deny them jobs, deny them basic services. Consequently, Bobi was not wrong and will never be wrong on the Ndagamuntu. Except the ones attacking him and mocking him forget that in Uganda, now, no National ID (Ndagamuntu), no service. If you have not been denied registering your child i...

Parliament Urges Government to Provide Shs 4 Billion to Media Houses to Run Awareness Campaign on Tourism in Uganda.

Parliament also urged Gov’t to provide additional Shs4Bn to UTB to engage international and national media houses in production of positive media stories for improved destination image, following reports of drop in number of tourists from US, Europe and China visiting Uganda. "The National Development Plan targeted to cumulatively attract 281,760 International Tourist arrivals from US, Europe & China but only 67,252 arrivals were registered by the end of the first half of FY 2023/24. The U.S, Europe & China were key target source for leisure tourist who stay longer than business tourists. However, statistics show that international arrivals from the aforementioned areas have continue to drop. The UTB requires Shs4Bn to engage international & national media houses in production of positive tourism stories to improve destination perception in light of recent controversies that shade the destination in a bad light. However, this has remained unfunded,” said La...

President Museveni Praises Soldiers for Torturing Bobi Wine in Arua on August 2018.

President Museveni at the passout of police officers in Masindi Friday https://www.facebook.com/1829407613953796 President Museveni has praised his Special Forces Command [SFC] guards for properly and legally beating National Unity Platform [NUP] presidential flagbearer, Robert Kyagulanyi aka Bobi Wine. “The other day, there was a fracas in West Nile where our young friend Bobi Wine was fighting security people,” Museveni said Friday while passing out police recruits at Kabalye Training School in Masindi district. “I think they beat him a bit and then they came and said a Member of Parliament has been beaten. I said let me study and see how he was beaten. I found the man had been beaten in the right way,” Museveni explained. “This was because…I think this was SFC people who are not police-minded. They are used to doing other things. But somehow they managed to act properly, I was surprised.” When they [SFC] went where this young man was in the room, he had ca...

Osuta Yusuf

Search This Blog