Microsoft: TikTok flaw enables account takeovers

Microsoft has discovered that the TikTok Android app has been impacted by a high-severity vulnerability, tracked as CVE-2022-28799, which could allow quick and stealthy account takeovers through a specially crafted link, according to BleepingComputer. Such a link could prompt the exposure of over 70 JavaScript methods that could be exploited with a TikTok WebView exploit, said Microsoft. "Attackers could have then accessed and modified users' TikTok profiles and sensitive information, such as by publicizing private videos, sending messages, and uploading videos on behalf of users," said Microsoft 365 Defender Research Team's Dimitrios Valsamaras. HackerOne has provided more insights into the flaw. "A WebView Hijacking vulnerability was found on the TikTok Android application via an un-validated deeplink on an un-sanitized parameter. This could have resulted in account hijacking through a JavaScript interface," said HackerOne. There has been no evidence indicating active exploitation of the vulnerability, which has already been patched with the release of TikTok version 23.7.3.