Application security, Vulnerability Management
Microsoft: TikTok flaw enables account takeovers
Microsoft has discovered that the TikTok Android app has been impacted by a high-severity vulnerability, tracked as CVE-2022-28799, which could allow quick and stealthy account takeovers through a specially crafted link, according to BleepingComputer.
Such a link could prompt the exposure of over 70 JavaScript methods that could be exploited with a TikTok WebView exploit, said Microsoft.
"Attackers could have then accessed and modified users' TikTok profiles and sensitive information, such as by publicizing private videos, sending messages, and uploading videos on behalf of users," said Microsoft 365 Defender Research Team's Dimitrios Valsamaras.
HackerOne has provided more insights into the flaw.
"A WebView Hijacking vulnerability was found on the TikTok Android application via an un-validated deeplink on an un-sanitized parameter. This could have resulted in account hijacking through a JavaScript interface," said HackerOne.
There has been no evidence indicating active exploitation of the vulnerability, which has already been patched with the release of TikTok version 23.7.3.
An In-Depth Guide to Application Security
Get essential knowledge and practical strategies to fortify your applications.
Related Events
Get daily email updates
SC Media's daily must-read of the most current and pressing daily news
You can skip this ad in 5 seconds