Cybersecurity TikTok Account Takeover App Hack Only Needed 1 Click, Microsoft Says Davey Winder Senior Contributor Opinions expressed by Forbes Contributors are their own. Co-founder, Straight Talking Cyber New! Follow this author to stay notified about their latest stories. Got it! Sep 1, 2022, 04:20am EDT | New! Click on the conversation bubble to join the conversation Got it! Share to Facebook Share to Twitter Share to Linkedin If you use TikTok on an Android phone, make sure your app is up to date Getty Images Microsoft security researchers, part of the 365 Defender Research Team, discovered a serious vulnerability in the TikTok Android app that could enable 1-click account takeovers, according to an in-depth report published August 31.
The vulnerability, CVE-2022-28799 , was rated 8. 8 (high) and is described at the National Institute of Standards and Technology (NIST) as allowing “an attacker to leverage an attached JavaScript interface for the takeover with one click. ” MORE FROM FORBES LastPass Hacked: Password Manager With 25 Million Users Confirms Breach By Davey Winder One-click hack required exploit chain to be successful executed To arrive at that 1-click execution, where the victim was compromised simply by clicking on a maliciously crafted link, the attacker would need to successfully combine a number of issues together first.
Assuming this was achieved, the victim would, by clicking on that single link, give the attacker access to the TikTok user profile and the ability to publish videos and send messages, Microsoft reveals. “The vulnerability allowed the app’s deeplink verification to be bypassed. Attackers could force the app to load an arbitrary URL to the app’s WebView,” Microsoft says, “allowing the URL to then access the WebView’s attached JavaScript bridges and grant functionality to attackers.
” User login security was able to be bypassed by triggering a request to a controlled server in order to log cookie and request headers to grab the user’s TikTok authentication token. MORE FOR YOU iOS 15: Apple Issues 22 Important iPhone Security Updates Widely-Used Hikvision Security Cameras Vulnerable To Remote Hijacking iOS 15 Is Available Now With These Stunning New iPhone Privacy Features MORE FROM FORBES Google Confirms New Attack Can Read All Gmail Messages: Iran Accounts Targeted By Davey Winder 1. 5 billion TikTok Android app users With more than 1.
5 billion TikTok for Android apps installed, combining both versions available globally, the potential impact of CVE-2022-28799 was deserving of that high rating. The Microsoft 365 Defender Research Team agreed, and a senior security researcher shared the details to TikTok by way of coordinated vulnerability disclosure in February 2022. TikTok responded efficiently and effectively, updating the Android app to fix the problem.
TikTok users who access it via Android are urged to check that their app has been updated and is protected against this security issue. App versions prior to 23. 7.
3 are impacted. There’s more good news from Microsoft in that it was not aware of any active exploitation of CVE-2022-28799 before the app was updated. Mitigation advice for similar attack methodologies Dimitrios Valsamaras from the Microsoft 365 Defender Research Team recommends the following to defend against any similar security exploits: Avoid clicking links from untrusted sources Always keep the device and the installed applications updated Never install applications from untrusted sources Immediately report any strange application behavior to the vendor, such as setting changes triggered without user interaction.
MORE FROM FORBES New Gmail Attack Bypasses Passwords And 2FA To Read All Email By Davey Winder Follow me on Twitter or LinkedIn . Check out my website or some of my other work here . Davey Winder Editorial Standards Print Reprints & Permissions.
From: forbes
URL: https://www.forbes.com/sites/daveywinder/2022/09/01/tiktok-account-takeover-app-hack-only-needed-1-click-microsoft-says/