Các bài viết liên quan:
On Wednesday, Microsoft disclosed details of a now-patched “high severity vulnerability” in the TikTok for Android app that could allow attackers to take over an account when a victim clicks on a malicious link.
Dimitrios Valsamaras of the Research Group Microsoft “Attackers could have taken advantage of the vulnerability to take over accounts without the user’s awareness if the targeted user simply clicked on a specially crafted link,” 365 Defender said.
Successful exploitation of this vulnerability could have allowed bad actors to access and modify TikTok profiles and sensitive user information, resulting in unauthorized disclosure of private videos. Attackers could also have abused this bug to send messages and upload videos on behalf of users.
The issue, which is resolved in version 23.7.3, affects two versions of the Android app com.ss.android.ugc.trill (for East and Southeast Asian users) and com.zhiliaoapp.musical (for East and Southeast Asian users) with users in other countries, except India, where it is banned). Combined, the apps have over 1.5 billion installs between them.
Tracked as CVE-2022-28799 (CVSS score: 8.8), the vulnerability concerns the application’s handling of what is known as deep linka special hyperlink that allows an application to open a specific resource in another application installed on the device, rather than the user directly entering a web page.
“A manually generated URL (unauthenticated deep link) can force com.zhiliaoapp.mus which is usually WebView to load an arbitrary web page,” according to the advisory for the vulnerability. “This could allow an attacker to take advantage of the attached JavaScript interface for a one-click takeover.”
Simply put, this vulnerability can circumvent application restrictions to deny untrusted servers and load any web page of the attacker’s choice through Android System WebView, a powerful engine. mechanism to display web content over other applications.
“The filtering takes place on the server side and the decision to load or reject a URL is based on the response received from a particular HTTP GET request,” explains Valsamaras, adding static analysis “indicating that it is possible to drop via server -check side-by-side by adding two additional parameters to the deeplink. “
The consequence of this exploit designed to hijack WebView to load fake web pages is that it could allow an adversary to call out more than 70 exposed TikTok endpoints, compromising the integrity of the user’s profile. users effectively. There is no evidence that the beetle has been weaponized in the wild.
“From a programming perspective, the use of JavaScript interfaces involves significant risks,” Microsoft notes. “A compromised JavaScript interface could allow an attacker to execute code using the application’s ID and privileges.”
.
