The vulnerability identified under the reference CVE-2022-28799 has now been fixed: Microsoft notified the head of TikTok Bytedance about it in February. However, if your TikTok account was hacked around this time, probable that hackers were able to exploit this security flaw. In particular, a vulnerability in the Android app’s deep link checking system allowed hackers to generate fake links allowing them to take control of any account as soon as the victim clicked on it. When deep links are navigated outside of the application, they are usually checked.
Microsoft explains comment hackers can hack your TikTok account with a simple link
To do this, TikTok checks for their presence in the manifest. The application can also perform cryptographic operations to authenticate the link. via this type of links, the TikTok app allows you to display the code from tiktok.com only in son built-in WebView browser. At the same time, it prohibits downloading content from other domains. But with this shortcoming, hackers can bypass this limitation and gain access to secure javascript bridges to gain control. total Check. Here comment Microsoft describes the flaw as follows: “This vulnerability allowed bypassing the application’s deep link checks. Hackers can force an application to load an arbitrary URL into the application’s WebView component, which would allow the specified URL to access the component’s JavaScript bridges and thus provide functionality to the hackers,” the firm’s researchers explain. The researchers were able to exploit the vulnerability themselves in the demo. This involved sending a malicious link that, after the transition, took away the victim’s authentication tokens in order to then connect to the TikTok servers and authenticate the opening. session. They have shown that it is. possible upload videos and change the victim’s biography. Read also – TikTok – bug allows the application to see all your passwords on the iPhone. Defending against these types of attacks can be tricky, especially when one doesn’t necessarily know what such a scheme is. possible. However, as always, you should always be wary of links from untrustworthy contacts.
