Microsoft Has Discovered A Critical Vulnerability In TikTok For Android 

Security researchers revealed they have discovered a huge security hole in TikTok that has affected every user who has downloaded the app on Android devices around the world.  But if there’s any persistent indication that users were affected by this “high-severity” security exploit, TikTok says nothing.

To steal an account, it was enough for the user to click on a malicious link.  The attackers could then access the profile, change the data in it, and upload confidential information.

Account theft was possible because hackers could force an application to load an arbitrary URL into a WebView, and this would give access to connected WebView JavaScript bridges.

A Microsoft security researcher notified TikTok of the issues in February 2022. The company quickly responded by issuing a patch to address the discovered vulnerability, identified as CVE-2022-28799 with a score of 8.3.

Exploitation of the vulnerability depends on the application’s implementation of JavaScript interfaces, which are provided by a component of the Android operating system called WebView. WebView allows applications to load and display web pages, and through the addJavascriptInterface API call, it also provides bridging functions that allow JavaScript code on a web page to call certain Java methods of a particular class in the application. Loading untrusted web content into a WebView with application-level objects accessible through JavaScript code makes the application vulnerable to JavaScript injection, which can lead to data leakage, data corruption, or arbitrary code execution.