Microsoft warns of a vulnerability that could easily lead to the loss of TikTok accounts to hackers

Microsoft has detailed a critical vulnerability on TikTok that allows hackers to take over accounts when users click on a malicious link.
This vulnerability affects 2 versions of the TikTok app (with over 1.5 billion installs) for users in Southeast Asia and other countries (except India). TikTok has fixed the problem for now, so all you need to do is update the app to the latest version through Google Play.

Update the TikTok app to the latest version.

Researcher Dimitrios Valsamaras (of the Microsoft 365 Defender research team) said: "Attackers could have taken advantage of the vulnerability to take over an account without the user's knowledge when they clicked on a link that was designed. special design”.

Successful exploitation of the vulnerability allowed bad guys to access and modify TikTok profiles and sensitive information, leading to users' private videos being exposed. Besides, hackers can also use your account to send messages, upload videos with inappropriate content ...

The vulnerability, codenamed CVE-2022-28799 (CVSS: 8.8 points), concerns the app's handling of what is known as a deeplink, a special hyperlink that allows TikTok to open a specific resource in another application is installed on the device.

Simply put, this vulnerability can load any web page an attacker chooses through the Android System WebView, a mechanism for displaying web content on top of other applications.

Taking advantage of vulnerabilities on TikTok to take over user accounts. Photo: Microsoft

“From a programming perspective, the use of JavaScript Interfaces carries significant risks. Once compromised, an attacker can execute code using the application's ID and privileges," Microsoft notes.

Not long ago, security researcher Felix Krause discovered that TikTok's built-in browser (iOS) is capable of monitoring all user input and keyboard presses.

Krause said that the browser on TikTok is capable of collecting sensitive details including passwords, credit card information ... when users interact with any website. However, TikTok has denied the above allegation.

TikTok is used quite commonly in Vietnam. Photo: Veed

"From a technical perspective, this is equivalent to installing keyloggers on third-party websites," Krause wrote of the JavaScript code TikTok included. However, the researcher also noted that not all applications that add JavaScript are malicious.

"Like other platforms, we use an in-app browser to provide an optimal user experience, but the JavaScript code in question is only used for debugging, troubleshooting, and performance monitoring. of that experience, like checking a page's loading speed or seeing if it crashes," a TikTok spokesperson told Forbes.