Article 634D3 Microsoft finds TikTok vulnerability that allowed one-click account compromises

Microsoft finds TikTok vulnerability that allowed one-click account compromises

by
Dan Goodin
from Ars Technica - All content on (#634D3)
tiktok-800x566.jpg

Enlarge (credit: Getty Images)

Microsoft said on Wednesday that it recently identified a vulnerability in TikTok's Android app that could allow attackers to hijack accounts when users did nothing more than click on a single errant link. The software maker said it notified TikTok of the vulnerability in February and that the China-based social media company has since fixed the flaw, which is tracked as CVE-2022-28799.

The vulnerability resided in how the app verified what's known as deeplinks, which are Android-specific hyperlinks for accessing individual components within a mobile app. Deeplinks must be declared in an app's manifest for use outside of the app-so, for example, someone who clicks on a TikTok link in a browser has the content automatically opened in the TikTok app.

An app can also cryptographically declare the validity of a URL domain. TikTok on Android, for instance, declares the domain m.tiktok.com. Normally, the TikTok app will allow content from tiktok.com to be loaded into its WebView component but forbid WebView from loading content from other domains.

Read 4 remaining paragraphs | Comments

External Content
Source RSS or Atom Feed
Feed Location http://feeds.arstechnica.com/arstechnica/index
Feed Title Ars Technica - All content
Feed Link https://arstechnica.com/
Reply 0 comments