TikTok Fixes Security Flaw That Allowed Android Account Theft

TikTok fixed a critical security flaw in its Android app that allowed users to steal their accounts after simply clicking a malicious link. The breach was discovered in February by Microsoft and could give criminals full control of a profile, allowing them to view and publish private videos, post content and send messages to contacts and other users.

The opening was in WebView, a component of the Android operating system used for displaying online content in apps. When a dangerous link was accessed through TikTok, the malicious page used dozens of JavaScript codes for different operations that ranged from handling accounts and publications from HTTP requests to obtaining authentication keys and cookies that would allow access to the profile.

Published in detail just now, the opening has been fixed since March of this year, with an update being published by TikTok less than a month after Microsoft’s notification of the issue. CVE-2022-28799, as tracked, has been resolved since version 23.7..3 of the social network application, with the recommendation to update for all users on the Android operating system.

In the official summary published by TikTok about the breach, it is attributed to the use of invalid parameters in deep links, which would open a JavaScript interface through which the exploit could take place. Microsoft’s report, on the other hand, talks about the combination of a series of issues that, in the end, would allow arbitrary loading of resources and full access to packages which, in turn, would give attackers access to users’ profiles.

TikTok loophole not exploited by criminals, says company

Fortunately, according to the company, there are no indications of exploitation of the breach by criminals, but everything could change now that the details of the exploit are available to the public. That’s why the urgent update recommendation is reinforced for all users of the Android version of Tiktok; the problem does not affect the iOS app or web versions of the social network.

In addition, as a general safety measure, users should exercise caution when clicking on links posted on the social network, whether in comments or video descriptions, as well as those sent by direct message, especially if they come from unknown people. Installations and downloads should always be done from official sources, in order to avoid manipulation of applications and reduce the risk of virus contamination.

This is the second critical failure of its kind resolved by TikTok in recent years. In January 2021, the social network also reported the correction of a vulnerability in its friend search system that could allow unauthorized access to users’ personal information, even circumventing protection mechanisms of the service itself.

Source: Microsoft, HackerOne

Source link

About Admin

Check Also

Google is behind OnePlus and Samsung in promising to update Android – Tecnoblog

At best deals🇧🇷 no tail stuck If until a recent past we prioritized the hardware …

Leave a Reply

Your email address will not be published. Required fields are marked *