Microsoft claims to have found the explanation behind a recent wave of TikTok account hacks. According to the firm, a flaw in the Android application allowed hackers to send spoofed links allowing them to immediately take control of their victims’ accounts.
The flaw, listed under the reference CVE-2022-28799 is now fixed: Microsoft notified the head of TikTok Bytedance in February. However, if your TikTok account was hacked around this time, it is likely that hackers managed to exploit this security flaw.
Specifically, a flaw in the deep link verification system in the Android application allowed hackers to generate spoofed links allowing them to take control of any account as soon as the victim clicked on it. When deep links are followed outside of the app, they are normally checked.
Microsoft explains how hackers could hack into your TikTok account with a simple link
For this, TikTok checks its presence in a manifesto. The application can also perform cryptographic operations to verify the authenticity of a link Normally, through this type of link, the TikTok application only allows the display of code from tiktok.com in its integrated browser WebView.
While prohibiting the loading of content from other domains. But with this flaw, hackers could overcome this limitation and access secure javascript bridges to take full control of the account. Here is how Microsoft describes the flaw:
“This vulnerability allowed bypassing the application’s deep link check. Hackers could force the application to load an arbitrary URL into the WebView component of the application allowing said URL to access the component’s JavaScript bridges and therefore grant functionality to hackers”, explain the firm’s researchers.
The researchers were able to exploit the flaw themselves with a demo. This involved sending a malicious link which, once followed, sucks up the victim’s authentication tokens to then connect to TikTok’s servers and authenticate the login. They demonstrated that it was thus possible to upload videos and to change the bio of the victim.
Protecting yourself against this type of attack can be complex, especially when you don’t necessarily know that this kind of scheme is possible. However, as always, you should always be wary of links from unreliable contacts.
TechAint 