Microsoft finds TikTok vulnerability that allowed one-click account compromises
Microsoft said on Wednesday that it recently identified a vulnerability in TikTok’s Android app that could allow attackers to hijack accounts when users did nothing more than click on a single errant link. The software maker said it notified TikTok of the vulnerability in February and that the China-based social media company has since fixed the flaw, which is tracked as CVE-2022-28799.
The vulnerability resided in how the app verified what’s known as deeplinks, which are Android-specific hyperlinks for accessing individual components within a mobile app. Deeplinks must be declared in an app’s manifest for use outside of the app so, for example, someone who clicks on a TikTok link in a browser has the content automatically opened in the TikTok app.
An app can also cryptographically declare the validity of a URL domain. TikTok on Android, for instance, declares the domain m.tiktok.com. Normally, the TikTok app will allow content from tiktok.com to be loaded into its WebView component but forbid WebView from loading content from other domains.