- Microsoft discovered a TikTok vulnerability. This vulnerability was a verification bypass on the Android app, raising concerns about the security and use of the popular social media app. In a blog post published Wednesday, Microsoft highlighted the TikTok vulnerability, known as CVE-2022-28799, which might allow threat actors to hijack accounts and distribute private films, exchange messages, and submit movies under the users’ accounts.
- While the TikTok vulnerability was fixed and Microsoft confirmed that no in-the-wild exploitation was observed, the vulnerability raised concerns about access to private data and in-app browser functionality.
- Whether TikTok is only using the capability for troubleshooting or not, it can still pose security threats to businesses.
Microsoft uncovered a TikTok vulnerability, a verification bypass on the Android app, raising questions about the popular social media app’s security and usefulness. Microsoft highlighted the TikTok vulnerability, identified as CVE-2022-28799, in a blog post released Wednesday, which might allow threat actors to hijack accounts and publish private films, exchange messages, and submit videos under the users’ accounts.
The TikTok vulnerability was discovered by how it handles deep links
While the TikTok vulnerability was repaired by the company and Microsoft stated that no in-the-wild exploitation was observed, the vulnerability raised worries about access to private data as well as in-app browser capability. Microsoft stated in a blog post that the TikTok vulnerability affected both Android app versions – the firm has one version for East and Southeast Asia and one for the rest of the world – which have had over 1 billion downloads from the Google Play store.
In a statement to TechTarget about the TikTok vulnerability, the social media company revealed that it had “discovered and quickly fixed a vulnerability in some older versions of the Android application.” Microsoft researchers described a proof-of-concept attack and additional threats in a blog post. To exploit the issue, an attacker would email the targeted victim a phishing link that, if clicked, would grant access to sensitive information.
The TikTok vulnerability was discovered in how the Android app handles deep links, which Microsoft characterized as ” a special hyperlink that links to a specific component within a mobile app and consists of a scheme and (usually) a host part. When a deep link is clicked, the Android package manager queries all the installed applications to see which one can handle the deep link and then routes it to the component declared as its handler.”
Keylogging concers over TikTok
Another study last month by security researcher Felix Krause, who designed a tool to check what applications do in WebView, focused on in-app browsers. The analysis, which highlighted the vulnerabilities of mobile apps that employ in-app browsers, assessed roughly 25 of the most popular iOS apps and determined that TikTok used a keylogging method in its in-app browser.
Krause stated in the report that “TikTok iOS subscribes to every keystroke (text inputs) happening on third-party websites rendered inside the TikTok app. This can include passwords, credit card information, and other sensitive user data.”
However, information security experts believe there aren’t many acceptable reasons for TikTok to use keylogging for debugging. For example, according to Chester Wisniewski, a principal research scientist at Sophos, troubleshooting is normally provided via the operating system rather than the program. For example, Apple would be liable for iPhone difficulties and Google for Android because they utilize Safari and Chrome, respectively.
Keylogging is commonly viewed as a violation of privacy, according to Nick DeLena, partner at consulting company DGC who specializes in cybersecurity and privacy, advise when an app or service is found to be utilizing it, they’re usually driven into another method of debugging. DeLena said that the risk with TikTok’s app is especially high because the Chinese government partially controls TikTok’s parent firm ByteDance.
Whether TikTok is only using the capability for troubleshooting or not, it might still pose security threats to businesses. For example, Tim Mackey, chief security strategist at Synopsys, stated that if the software is utilized at work, there is a chance that critical company information will be included in the keylogging data packet.
Though many firms prohibit particular programs or services from being downloaded on work devices, controlling the rising remote workforce may be difficult. The change has widened the gap between work and personal life.
Wisniewski underlined that individuals increasingly use their personal phones or tablets for work-related tasks and may be oblivious of potential hazards, noting, “It only takes a minute to be confused about whether you’re currently in the company web browser, or you might be in the in-app TikTok browser by accident and start doing company stuff, and that’s a huge risk to data leakage.”