Microsoft Uncovers Severe 'One-Click' Exploit for TikTok Android App
Reading Time: 2 minutes

Microsoft Uncovers Severe ‘One-Click’ Exploit for TikTok Android App, it enables threat actors to gain access when a victim clicks a malicious link.

Dimitrios Valsamaras of the Microsoft 365 Defender Research Team in a write-up  said, “Attackers could have leveraged the vulnerability to hijack an account without users’ awareness if a targeted user simply clicked a specially crafted link.”

Attackers may have abused the bug to send messages and upload videos on behalf of users. Thus leading to unauthorized exposure of private videos.

The flaw has been addressed in version 23.7.3. It impacts two flavors of its Android app ie. com.ss.android.ugc.trill (for East and Southeast Asian users) and com.zhiliaoapp.musically (for users in other countries except for India, where it’s banned). There are more than 1.5 billion installations between them.Microsoft Uncovers Severe 'One-Click' Exploit for TikTok Android App_1The flaw, tracked as CVE-2022-28799, allows an app to open a specific resource within another app installed on the device rather than directing users to a website. The severity was reported with an 8.8 score on the CVSS scale.

A crafted URL may force the Musically app to load an arbitrary website, which may allow an attacker to take over it with one click.Microsoft Uncovers Severe 'One-Click' Exploit for TikTok Android App_2With Marshmallow, on Marshmallow devices, you can use the web viewer to load any website you want as opposed to what google wants you to see.

The company with this issue addressed the issue by adding parameters to the deep link URL in order to bypass their server-side filter.

With this exploit, the adversary is prevented from invoking endpoints from a user’s profile integrity. TikTok says there is no evidence that the bug has been weaponized in the wild.

A compromised JavaScript interface poses a risk for a hacker to execute code using the application, compromising the integrity of the data.

Related Articles:
Google Announces New Open Source Bug Bounty to Tackle Supply Chain Attacks
China-linked APT40 gang targets Australian companies Maintaining Wind Turbine Fleets
New Cybersecurity Rules – UK Mobile and broadband carriers face fines of $117K/day or 10% of sales