Home > Cyber News > CVE-2022-28799: Severe One-Click Vulnerability in TikTok App for Android

CVE-2022-28799: Severe One-Click Vulnerability in TikTok App for Android

CVE-2022-28799: Severe One-Click Vulnerability in TikTok App for Android
A high severity vulnerability in the TikTok Android app has been fixed. The flaw could enable attackers to take over user accounts by tricking users into clicking a malicious link. Discovered by Microsoft, the vulnerability has already been fixed.

Related Story: High-Profile TikTok Influencers Targeted in Phishing Campaign

Successful exploitation of the TikTok flaw would have required several flaws to be changed together, Microsoft said. Fortunately, no evidence of in-the-wild exploits has been discovered so far. “Attackers could have leveraged the vulnerability to hijack an account without users’ awareness if a targeted user simply clicked a specially crafted link,” the company noted.

As a result, attackers would have been able to modify TikTok profiles and access users’ sensitive details. The flaw could have led to publicizing private videos, sending messages, and uploading videos on behalf of victimized accounts.

CVE-2022-28799: Technical Overview

In technical terms, the vulnerability, now known as CVE-2022-28799, allowed the app’s deeplink verification to be circumvented. As a result, hackers could load an arbitrary URL to the app’s WebView, allowing the URL to access WebView’s attacked JavaScript bridges.

According to the official CVE description, the TikTok application before 23.7.3 for Android allows account takeover. A crafted URL or an unvalidated deeplink could force the com.zhiliaoapp.musically WebView to load an arbitrary website. This action could further allow a threat actor to leverage an attached JavaScript interface for a one-click takeover attack.

“We’ve previously researched JavaScript bridges for their potential wide-reaching implications. Emphasizing the importance of exercising caution when clicking unknown links, this research also displays how collaboration within the security community is necessary to improve defenses for the overall digital ecosystem,” Microsoft added.

After carrying out a vulnerability assessment of TikTok, the researchers determined that the vulnerability affected both flavors of TikTok for Android, with more than 1.5 billion installations combined via the Google Play Store. Following the disclosure, TikTok quickly released a fix for CVE-2022-28799. TikTok users should ensure that they are using the latest version of the TikTok app.

Milena Dimitrova

An inspired writer and content manager who has been with SensorsTechForum since the project started. A professional with 10+ years of experience in creating engaging content. Focused on user privacy and malware development, she strongly believes in a world where cybersecurity plays a central role. If common sense makes no sense, she will be there to take notes. Those notes may later turn into articles! Follow Milena @Milenyim

More Posts

Follow Me:

Leave a Comment

Your email address will not be published. Required fields are marked *

This website uses cookies to improve user experience. By using our website you consent to all cookies in accordance with our Privacy Policy.
I Agree