TikTok Android vulnerability allows one-click account hijacking

Posted by Marbenz Antonio on September 6, 2022

A TikTok vulnerability could have allowed account hijackers to take  control. - The Cybersecurity Daily News

In the TikTok Android app, Microsoft found a high-severity vulnerability that could have given attackers access to users’ accounts with just one click. The vulnerability has been patched, and we were unable to find any proof of in-the-wild exploitation, which would have needed numerous vulnerabilities to be chained together. If a targeted user had simply clicked a specially crafted link, attackers might have taken advantage of the vulnerability to steal an account without the users’ knowledge. Attackers may then have gained access to users’ TikTok profiles and private information and altered it, such as by making public-private videos, sending messages, or posting videos on users’ behalf.

The app’s deep link verification may have been subverted thanks to the issue. Attackers might force the app to load a random URL to its WebView, enabling that URL to access the WebView’s connected JavaScript bridges and provide the attacker access to functionality. We’ve already investigated the possibly broad implications of JavaScript bridges. This study highlights the need for vigilance when clicking unknown links and demonstrates how the security community must work together to improve defenses for the entire digital ecosystem.

For East and Southeast Asia, TikTok’s Android app is available in two flavors: com.ss.android.ugc.trill for that area, and com.zhiliaoapp.musically for the rest of the world. We conducted a vulnerability evaluation of TikTok App and found that the problems were present in both Android versions of the app, which had collected over 1.5 billion downloads through the Google Play Store. As part of our responsible disclosure policy, a Microsoft security researcher informed TikTok of the issues in February 2022 via Coordinated Vulnerability Disclosure (CVD) via Microsoft Security Vulnerability Research (MSVR). Users can check the CVE entry for additional details. TikTok swiftly replied by providing a fix to address the reported vulnerability, which is now known as CVE-2022-28799. We applaud the TikTok security team’s quick and competent response. Users of TikTok are urged to make sure they are running the most recent version of the application.

We discuss the issues we found in this blog post, look at how they might have been used in an attack to stealthily and rapidly take control of specific users’ accounts, and go over best practices and safeguards. To constantly increase security for everyone, irrespective of the platform or device being used, we also share information of our research, disclosure, and engagement with the greater security community as dangers across platforms continue to increase.

JavaScript interfaces of TikTok Android App

The app’s implementation of JavaScript interfaces, which are made available by the Android operating system’s WebView component, is what allows the vulnerability to be exploited. Using the addJavascriptInterface API call, WebView enables programs to load and display web pages while also offering bridge capability that enables JavaScript code on the web page to call specified Java methods of a particular class in the app. The program becomes subject to JavaScript interface injection when loading untrusted online material to WebView with objects accessible via JavaScript code. This can result in data leakage, data corruption, or, in rare situations, arbitrary code execution.

An instance of the JsObject class is injected into WebView in our example’s code (line 8), and it is then referenced by the injectObject variable within the JavaScript code, which is loaded using the loadUrl API method (line 10). This code shows how a JavaScript interface is utilized.

Code depicting adding a JavaScript interface to a WebView object
Figure 1. Adding a JavaScript interface to a WebView object

Any function of the injected class was accessible to this JavaScript code before Android API level 18 (introduced in 2013 with Android 4.3). Only class methods annotated with the “@JavascriptInterface” annotation can be called starting with API level 18. (depicted above in line 2).

JavaScript bridge of TikTok Android App

TikTok for Android makes considerable use of JavaScript interfaces to improve WebView functionality. We discovered a class of potential users for such a WebView. The [redacted].bridge.* package’s classes implement every type of capability, and this registers a JavaScript bridge with access to them all. This bridge makes the following technique visible:

Code depicting rendering the method callable via the JavaScript code
Figure 2. Rendering the method callable via the JavaScript code

The func and params properties are the two that matter the most when it comes to the arg1’s JSON string representation.

The params element specifies the arguments that this method accepts, while the func attribute specifies the name of the Java method that is called from the JavaScript code. For instance, the following sentence must be used to call the Java function foo(String arg1, String arg2) from JavaScript code:

Code depicting a Java method being invoked via the JavaScript interface
Figure 3. Example code invoking a Java method via the JavaScript interface.

A callback defined in the JavaScript code that accepts a single string as an argument receives the output as a JSON string.

Diagram depicting the interaction between Java and web components using the JavaScript interface, further detailed in the text below.
Figure 4. Interaction between Java and web components using the JavaScript interface

The idea is illustrated in the above figure, which also shows the stages:

  • The program opens its WebView and loads the webpage example.com.
  • The Java function is called by the JavaScript code, which is downloaded from the remote server.
  • The process is carried out
  • The callback function receives the result as an argument.

Finally, using an XMLHttpRequest, a built-in browser object that may also be used during an attack to send stolen data to an attacker’s server, the handler method can process the result locally or send it to an external server.

In the end, it was discovered that the app’s handling of a particular deeplink was where the vulnerability itself lay. A deeplink is a specific hyperlink that, in the context of the Android operating system, links to a particular element within a mobile app and is made up of a scheme and (typically) a host portion. The Android package manager searches all installed programs when a deeplink is selected to see which one can handle it. It then sends the deeplink to the component designated as its handler. To be used by components not directly related to the application, a deeplink must be defined in the manifest of the application:

Code depicting an example of adding an intent filter in the app's manifest for deep linking
Figure 5. An example of adding an intent filter in the app’s manifest for deep linking

In the example above in Figure 5,

  1. The user selects the http://www.example[.]com/gizmos link. Since the scheme can be handled by many applications, the system then displays a dialog box, also known as an ambiguity dialog, similar to the one seen in Figure 6 below.
  2. GizmosActivity, the component designated as the deeplink handler, in this case, is directly reached by a deeplink in the form of example:/gizmos.
Image of an ambiguation dialog requesting the user to complete the action using either the Chrome browser or an Android app called DeepLinkingExample. It also prompts the user to select whether it should complete the action with the selected application just once or every time.
Figure 6. Ambiguity dialog

An application may declare an Android App Link by utilizing the autoVerify property in its intent filter to tell the system to check the association between the app and the defined URL domain to skip the ambiguous dialog for HTTP and HTTPS protocols. Additionally, a JSON file with the package name of the application and the SHA256 fingerprint of its certificate needs to be published in https://domain.name/.well-known/directory. For the domain m.tiktok.com, TikTok for Android makes use of this capability, which means any links matching the particular domain will be forwarded to the program without displaying an ambiguous dialog.

In addition to deeplinks that are declared in the Android manifest, an application can also use internal deeplinks to transfer data across its parts. An “unable to resolve Intent” error message will be displayed if you attempt to open an internal deeplink from outside the program, such as in a web browser because the system can’t direct you to the right handler.

Vulnerability findings of TikTok Android App

Understanding the many factors at play, such as how the app implements JavaScript APIs, that enable the vulnerability to be abused is crucial since they affect how the vulnerability is exploited. We looked at how the app handled a specific deep link and found some problems that, when combined, could have been leveraged to force the app to load any URL into the WebView. It was possible to inject an instance of the JavaScript bridge that gives complete access to the functionality supplied by the [redacted].bridge.* package by carefully creating this URL with additional query parameters.

The vulnerability’s technical description is provided below. We used the TikTok Android app with the package name com.zhiliaoapp.musically to conduct our analysis. The TikTok Android app, com.ss.android.ugc.trill fits the same description because the vulnerabilities were discovered in widely used SDKs.

TikTok for Android employs a variety of deeplinking techniques, some of which are exported via the manifest and others that are only used by the application itself. Among the exported ones, the [redacted] class handles the https://m.tiktok[.]com/redirect link, which is used to redirect URIs to various application components via a query parameter:

We found that the query parameter can be used to invoke non-exported activities and internal deeplinks, increasing the attack surface of the application. This redirection to internal deeplinks, in TikTok’s opinion, doesn’t cause any further issues.

As a proof of concept, we created a URL that loads https://www.tiktok[.]com to the application’s WebView using a specific non-exported scheme, as seen in Figure 8 below:

Despite the [redacted-internal-scheme]:/webview, though? When loading URLs to the CrossPlatformActivity’s WebView using the query parameter url=website> deeplink, the application imposes filters to disallow untrusted hosts. Figure 8 shows that the Tiktok.com domain loaded properly, however, Figure 9 shows that the application filters refused the domain Example.com:

The filtering happens on the server, and whether to load or reject a URL depends on the response to a specific HTTP GET request. Our static analysis revealed that by adding two extra parameters to the deeplink, it is possible to get around the server-side check.

We used the WebView module of Medusa to dynamically confirm that the WebView associated with the activity creates instances of the JavaScript bridge. The website associated with the [redacted-scheme]:/webview scheme’s query parameter now has complete access to the JavaScript bridge, allowing its JavaScript code to access and use any accessible functionality contained in the [redacted].bridge.* package.

Exposed functionality of TikTok Android App

We counted more than 70 exposed methods after reviewing the functionality available to JavaScript code in web pages loaded to WebView. These approaches can be used to give functionality to attackers when combined with an exploit to hijack WebView, like the problem we found. While some of the disclosed methods can make authenticated HTTP calls to any URL provided as a parameter, others can access or modify users’ sensitive information. Additionally, the method provides the server’s response along with the headers and accepts some parameters in the form of a JSON string that can be used to create the body of a POST request.

By invoking such methods, an attacker can:

By initiating a request to a controlled server, logging the cookie and the request headers, and retrieving the user’s authentication tokens.
By initiating a request to a TikTok endpoint and obtaining the response via the JavaScript callback, it is possible to retrieve or edit the user’s TikTok account data, such as private videos and profile settings.

Proof of concept of TikTok Android App

In the proof of concept that follows, the attacker targets a TikTok user and gives them a specially constructed link. The software then alters the user’s biographical information to read “!!” once the user clicks the link, sending the video uploading authentication tokens back to the attacker. BREACH IN SECURITY!! ”:

When a targeted TikTok user clicks the attacker’s carefully designed malicious link, the attacker’s server, https://www.attacker[.]com/poc, is given complete access to the JavaScript bridge and is free to use any exposed feature. The server of the attacker sends back an HTML page with JavaScript code that modifies the user’s profile biography and sends video upload tokens back to the attacker.

The attacker receives the authentication tokens for uploading videos via an XMLHttpRequest. The header and body of the reply are likewise sent to the attacker, as seen in Figures 10 and 11 below:

Code depicting the request headers retrieved by the attack
Figure 10. The request headers retrieved by the attack
Code depicting the server's reply including the headers
Figure 11. The server’s reply including the headers

The final message was “!! BREACH IN SECURITY!!! ” is set in the biography of the user profile:

An image of a TikTok user's profile with the biography information reading "!! SECURITY BREACH !!!"
Figure 12. Compromising the user’s profile integrity

JavaScript interface best practices

As demonstrated by this instance and our earlier research, employing JavaScript APIs comes with major programming hazards. The ID and privileges of the application could potentially be used by attackers to execute code through a JavaScript interface that has been hacked. Therefore, we advise the developer community to be aware of the dangers and adopt additional security measures to protect WebView.

We advise utilizing an approved list of trusted domains to be loaded to the application’s WebView to prevent loading dangerous or untrusted online content in situations when using JavaScript APIs cannot be avoided. Additionally, we advise utilizing the subsequent secure coding techniques:

  • To open URLs that are not on the application’s allowed list, use the default browser.
  • Maintain the approved list up to date and keep track of the included domains’ expiration dates. This can stop hackers from using an expired domain on the list of permitted domains to hijack WebView.
  • Avoid comparing and verifying a URL with the accepted list of trusted domains using partial string comparison methods.
  • Avoid adding stage or internal network domains to the list of permitted domains because an attacker could spoof these domains to take control of WebView.

Responsible disclosure and industry cooperation enhance everyone’s security

Adversaries continue to concentrate on locating and exploiting unpatched vulnerabilities and misconfigurations as a route to access systems and sensitive information for malicious reasons, leveraging new threats, methodologies, and attacker capabilities. As part of our dedication to always improving security from Microsoft, not just for Microsoft, we must broaden our knowledge and skills into additional devices and platforms to respond to the evolving threat landscape.

To ensure Microsoft Defender Vulnerability Management discovers and alerts on installed programs with known vulnerabilities—including those impacting non-Windows devices—we employ collaborative research like this to enhance our security technologies across platforms. Although we are not aware of any active exploitation of this vulnerability in the wild, users can still take the following security precautions to protect themselves:

  • Avoid clicking on links from sources you don’t trust.
  • Always maintain the devices and loaded apps up to date.
  • Never install applications from untrusted sources
  • Report any unusual application behavior—like setting changes that happen without user input—immediately to the vendor.

We notified the vulnerability to TikTok in February 2022 as instructed on its website as part of our responsible disclosure policy through Coordinated Vulnerability Disclosure (CVD) via Microsoft Security Vulnerability Research (MSVR). The issue, identified as CVE-2022-28799, was immediately given a high severity rating of 8.3 and a fix was incorporated in an updated version of the software that was made available less than a month after the vulnerability was first discovered. We appreciate the TikTok security team’s quick and efficient work in finding solutions to these problems.

Want to know more about Microsoft? Visit our course now.

This example demonstrates how effective problem mitigation requires the capacity to organize research and threat intelligence sharing through professional, cross-industry collaboration. Vulnerability disclosures, coordinated responses, and other types of threat information sharing are required to ensure secure users’ computing experiences, regardless of the platform or device in use, since attacks across platforms continue to expand in number and sophistication. To improve everyone’s protection, we will keep collaborating with the greater security community to exchange research and threat intelligence.

Explore the vast ecosystem of TikTok Android vulnerability allows one-click account hijacking. Visit us here.

Here at CourseMonster, we know how hard it may be to find the right time and funds for training. We provide effective training programs that enable you to select the training option that best meets the demands of your company.

For more information, please get in touch with one of our course advisers today or contact us at training@coursemonster.com

Verified by MonsterInsights