A one-click exploit has been found by Microsoft in the TikTok app for Android. Based on the implementation of JavaScript interfaces, it has been corrected in a latest version published by the Chinese social network.
Tiktok is all the rage, and so are security holes. This is the case with a latest flaw detected by Microsoft's 365 Defender Research team in the social network's Android application. Downloaded over 1.5 billion times, this program is a prime playground for hackers.
To avoid tragedies, security researchers warned the parent company Byte Dance last February of the vulnerability, since identified as CVE-2022-28799 and corrected by TikTok.
It is therefore strongly recommended that users of this version check that they are running the most up-to-date version of this application.
 |
| Users of the TikTok network are warmly invited to download the latest version of the app which closes a nice security hole / (credit: TikTok) |
The flaw discovered by Microsoft in the TikTok Android app could have allowed attackers to compromise users' accounts with a single click. To date, no evidence of an exploit has been found. “The vulnerability allowed the application's deep link check to be bypassed. Attackers could force the application to load an arbitrary URL into the application's WebView, allowing the URL to then access JavaScript bridges attached to the WebView and grant attackers functionality,” explains the publisher. in a blog post .
Good practices to follow
Exploiting this security hole relies on the application's implementation of JavaScript interfaces that are provided by an Android component called WebView. “Loading untrusted web content into WebView with objects accessed through JavaScript code makes the application vulnerable to JavaScript interface injection, which can lead to data leakage, data corruption, or in some cases , an execution of arbitrary code,” the researchers warned.
By controlling one of the methods capable of making authenticated HTTP requests, a malicious actor could then have compromised a TikTok user account.
To guard against the exploit related to JavaScript interfaces, Microsoft provides some advice such as using an approved list of trusted domains to load into the application's WebView to prevent malicious or untrusted web content from being loaded. Good development practices are also specified:
- Use the default browser to open URLs that do not belong to the application's approved list;
- Maintain approved list and track expiration dates of included domains. This can prevent attackers from hijacking WebView by claiming an expired domain on the certified list;
- Avoid using partial string comparison methods to compare and verify a URL with the approved list of trusted domains;
- Avoid adding stage or internal network domains to the trusted list as these domains could be spoofed by an attacker to hijack WebView.
Add Comments