A TikTok bug allowed accounts to be stolen with a single click

Microsoft has discovered a vulnerability in the Android version of the TikTok app.


A flaw that could have given cybercriminals access to the system and thus compromise and hijack user accounts.

The Redmond company has explained on its blog that it reported this security bug to TikTok in February and that the platform “quickly responded” by releasing a fix to address the reported vulnerability.

Likewise, he has stressed that he has no record that anyone has taken advantage of this vulnerability to commit attacks against TikTok users and that he has exploited it in his favor.

What was this error about?

First of all, the technology company has recalled that TikTok has two versions of the application, one for East and Southeast Asia and another for the rest of the countries. By performing a vulnerability assessment, he found that the issue affected both versions.

Specifically, this bug, which was logged as CVE-2022-28799, allowed attackers to bypass content application deeplink verification.

Thanks to this, cybercriminals could have forced the social network to load a URL in the WebView component of the application, in order to display internal web pages.

Microsoft has stressed that since WebView is linked to JavaScript bridges, this would have given malicious actors up to 70 different ways to access information about their potential victims.

The flaw even allowed them to recover the user’s authentication tokens through a request to a controlled server and, subsequently, registering the information tracking ‘cookies’.

To determine the severity of the vulnerability, Microsoft researchers tested sending a malicious link to an external agent. Once this URL was clicked, the link granted these tokens from the servers that the TikTok platform asks its users to verify their identity and access their corresponding profiles.

The group has pointed out that any attacker could rely on this vulnerability of the ‘app’ to hijack an account without the user’s knowledge by simply inviting him to click on one of these malicious links. (EuropePress)