We take a look at a TikTok exploit discovered by Microsoft and passed on to the social media giant to have fixed.
Microsoft has released a detailed rundown of an issue, now fixed, which was potentially dangerous for users of TikTok. The problem, flagged as a “high-severity vulnerability” by Microsoft, required several steps chained together in order to function. Attackers making use of it could have compromised accounts with one click.
From there, the standard rules of engagement for compromised accounts apply. Sending messages, uploading content, checking out sensitive information or looking at private videos; all of this and more would have been possible. Worse, Microsoft determined that both versions of the TikTok app on Android were vulnerable to this issue. That’s around 1.5 billion installations in total, so it’s just as well TikTok received word of the vulnerability in February of this year and it’s now fixed.
Shall we take a look?
What is a deeplink?
To ward off any possible confusion, deeplinks are completely unrelated to deepfakes.
This issue is pinned around TikTok’s deeplink verification. These deeplinks can make URLs function in a variety of different ways. As Engadget explains, hitting a Twitter embed on Chrome mobile which opens the Twitter app is an example of this working in practice.
Microsoft found that several of these issues chained together with regard to handling a specific deeplink could force loading of arbitrary ULRs to the app’s WebView.
The fixed exploit now lives on only as CVE-2022-28799:
Fixes and suggestions
Use the default browser to open URLs that don’t belong to the application’s approved list.
Keep the approved list up to date and track the expiration dates of the included domains. This can prevent attackers from hijacking WebView by claiming an expired domain on the approved list.
Avoid using partial string comparison methods to compare and verify a URL with the approved list of trusted domains.
Avoid adding stage or internal network domains to the approved list as these domains could be spoofed by an attacker to hijack WebView.
It’s important to note that Microsoft has seen no evidence of this being exploited in the wild. There is no need for users to be panicking about this particular exploit. There are many threats out there for users of TikTok like phishing and social engineering. This one, however, can be set aside as a highly technical “close, but no cigar”.