The Microsoft 365 Defender team of researchers has now disclosed the vulnerability found in the TikTok application for Android, which they have classified as highly serious, since it would allow attackers to take over the accounts of affected users who have simply clicked on a malicious link, which would make it easier for them to access the main controls of the affected accounts.
Researchers alerted the TikTok team to the vulnerability last February as part of their responsible disclosure policy, and they promptly patched the vulnerability, which is now tracked as CVE-2022-28799.
For now There has been no indication that this vulnerability has been exploited on a large scale, despite both existing global versions of the TikTok app for Android devices being affected.one destined for East and Southeast Asia, and the other for the remaining countries, and which has a total of more than 1.5 billion downloads in the Google Play Store.
These researchers note in a blog post that:
The vulnerability allowed the deep link verification of the application to be bypassed. Attackers could force the application to load an arbitrary URL in the application’s webview, allowing the URL to access the webview’s attached JavaScript bridges and granting functionality to the attackers.
They praise how quickly the TikTok security team has quickly patched the vulnerability, urging users to verify that they always have the latest version of the application:
We commend the efficient and professional resolution of the TikTok security team. TikTok users are advised to make sure they are using the latest version of the app.
This research work is carried out with the purpose of protecting the security of users against possible threats, regardless of the platforms that may be affected.
In this regard, they indicate that:
As cross-platform threats continue to grow in number and sophistication, vulnerability disclosures, coordinated responses, and other ways to share threat intelligence are needed to help protect users’ computing experience, regardless of the platform or device in use. .
All technical details are available on the Microsoft Security Blog.