The vulnerability was related to how the app controls “deep links”, which are Android-specific hyperlinks to access individual components in the mobile app. For example, if someone clicks a distinctive TikTok link in a browser, its content will automatically open in the TikTok app.
An application can also declare the validity of a URL domain cryptographically. For example, TikTok on Android reports the domain m.tiktok.com. Typically, a TikTok app will allow content from tiktok.com to be loaded into the WebView component, but prevent WebView from loading content from other domains.
“The vulnerability allowed bypassing deep link checking in the application,” the researchers write. “Attackers can force an application to load a random URL into the application’s WebView, which allows the URL’s WebView to access bound JavaScript hyperlinks and expose the functionality to attackers.”
Researchers have created a trial version of an exploit that does just that. It involved sending a malicious link to a targeted TikTok user, which, when clicked, would get the authentication tokens needed by TikTok servers to verify the ownership of users’ accounts.
Microsoft said there was no evidence that the vulnerability was actively exploited by attackers.
Source: Ferra
