• Microsoft discovered a TikTok vulnerability. This vulnerability was a verification bypass on the Android app, raising concerns about the security and use of the popular social media app. In a blog post published Wednesday, Microsoft highlighted the TikTok vulnerability, known as CVE-2022-28799, which might allow threat actors to hijack accounts and distribute private films, exchange messages, and submit movies under the users’ accounts.
• While the TikTok vulnerability was fixed and Microsoft confirmed that no in-the-wild exploitation was observed, the vulnerability raised concerns about access to private data and in-app browser functionality.
• Security researcher Felix Krause discovered that TikTok’s iOS app used a JavaScript code to investigate what the user clicks.
• Whether TikTok is only using the capability for troubleshooting or not, it can still pose security threats to businesses.

Microsoft uncovered a TikTok vulnerability, a verification bypass on the Android app, raising questions about the popular social media app’s security and usefulness. Microsoft highlighted the TikTok vulnerability, identified as CVE-2022-28799, in a blog post released Wednesday, which might allow threat actors to hijack accounts and publish private films, exchange messages, and submit videos under the users’ accounts.

The TikTok vulnerability was discovered by how it handles deep links

While the TikTok vulnerability was repaired by the company and Microsoft stated that no in-the-wild exploitation was observed, the vulnerability raised worries about access to private data as well as in-app browser capability. Microsoft stated in a blog post that the TikTok vulnerability affected both Android app versions – the firm has one version for East and Southeast Asia and one for the rest of the world – which have had over 1 billion downloads from the Google Play store.

In a statement to TechTarget about the TikTok vulnerability, the social media company revealed that it had “discovered and quickly fixed a vulnerability in some older versions of the Android application.” Microsoft researchers described a proof-of-concept attack and additional threats in a blog post. To exploit the issue, an attacker would email the targeted victim a phishing link that, if clicked, would grant access to sensitive information.

However, Microsoft stressed that exploiting this TikTok vulnerability would have required chaining many problems, including vulnerable JavaScript methods. After connecting to the app, Microsoft discovered 70 JavaScript methods attackers might have used.

Because of this revelation, as well as earlier studies, Microsoft issued a warning about the potential hazards connected with JavaScript APIs. According to the blog, attackers can execute code using the application’s ID and privileges if the interface is exploited. According to the announcement, “A compromised JavaScript interface can potentially allow attackers to execute code using the application’s ID and privileges. Thus, we recommend that the developer community be aware of the risks and take extra precautions to secure WebView.

The TikTok vulnerability was discovered in how the Android app handles deep links, which Microsoft characterized as ” a special hyperlink that links to a specific component within a mobile app and consists of a scheme and (usually) a host part. When a deep link is clicked, the Android package manager queries all the installed applications to see which one can handle the deep link and then routes it to the component declared as its handler.”

According to Microsoft, the issue allowed the app’s deep link verification to be circumvented, allowing researchers to slip a malicious link into WebView. This Android component powers TikTok’s in-app browser. According to Microsoft, “Attackers could force the app to load an arbitrary URL to the app’s WebView, allowing the URL to access then the WebView’s attached JavaScript bridges and grant functionality to attackers.” 

Keylogging concers over TikTok

Another study last month by security researcher Felix Krause, who designed a tool to check what applications do in WebView, focused on in-app browsers. The analysis, which highlighted the vulnerabilities of mobile apps that employ in-app browsers, assessed roughly 25 of the most popular iOS apps and determined that TikTok used a keylogging method in its in-app browser.

Krause stated in the report that “TikTok iOS subscribes to every keystroke (text inputs) happening on third-party websites rendered inside the TikTok app. This can include passwords, credit card information, and other sensitive user data.”

Alleged cybersecurity issues of Twitter are causing a headache for the company

Furthermore, he discovered that TikTok’s iOS app used a JavaScript code to investigate what the user clicks. While Krause said that he doesn’t know what TikTok does with the subscription, he claimed that TikTok’s answer in a Forbes piece proved that it has keylogging capacity.

TikTok replied in a statement to TechTarget that the report’s results are wrong and misleading: “The researcher specifically says the JavaScript code does not mean our app is doing anything malicious and admits they have no way to know what kind of data our in-app browser collects. Contrary to the report claims, we do not collect keystroke or text inputs through this code, which is solely used for debugging, troubleshooting, and performance monitoring.”

However, information security experts believe there aren’t many acceptable reasons for TikTok to use keylogging for debugging. For example, according to Chester Wisniewski, a principal research scientist at Sophos, troubleshooting is normally provided via the operating system rather than the program. For example, Apple would be liable for iPhone difficulties and Google for Android because they utilize Safari and Chrome, respectively.

Keylogging is commonly viewed as a violation of privacy, according to Nick DeLena, partner at consulting company DGC who specializes in cybersecurity and privacy, advise when an app or service is found to be utilizing it, they’re usually driven into another method of debugging. DeLena said that the risk with TikTok’s app is especially high because the Chinese government partially controls TikTok’s parent firm ByteDance.

Whether TikTok is only using the capability for troubleshooting or not, it might still pose security threats to businesses. For example, Tim Mackey, chief security strategist at Synopsys, stated that if the software is utilized at work, there is a chance that critical company information will be included in the keylogging data packet.

Cybersecurity experts in the UK are on the same page about Computer Misuse Act reform

Though many firms prohibit particular programs or services from being downloaded on work devices, controlling the rising remote workforce may be difficult. The change has widened the gap between work and personal life.

Wisniewski underlined that individuals increasingly use their personal phones or tablets for work-related tasks and may be oblivious of potential hazards, noting, “It only takes a minute to be confused about whether you’re currently in the company web browser, or you might be in the in-app TikTok browser by accident and start doing company stuff, and that’s a huge risk to data leakage.”