Android TikTok app: Microsoft finds 1-click vulnerability that allowed account takeover

[German]Microsoft has discovered a dangerous vulnerability in the TikTok app for Android that allowed user accounts to be compromised with a single click. In the meantime, this vulnerability in the TikTok app for Android has been closed.


TikTok is a service operated by the Chinese provider Bytedance, which provides short video clips and videos for lip-syncing music videos. Moreover, there are additional functions of a social network. The platform is especially popular with young people, and apps are available for Android and iOS.

The company is controversial due to concerns about data and youth protection as well as spying and censorship in favor of the Chinese government. The US government under former President Donald Trump tried to ban the Chinese TikTok app along with its service in the US unless the US business was sold to a US tech company. There was the announcement by the US Commerce Department, which, on the orders of the US President, banned US citizens from downloading the TikTok app in US app stores. The whole thing was then stopped again by US judges.

Serious vulnerability in TikTok app

TikTok exists as an Android app in two variants: one for East and Southeast Asia under the package name and another for the remaining countries under the package name com.zhiliaoapp.musically. As part of a vulnerability analysis by TikTok, Microsoft's security researchers then discovered that both variants of the app for Android, which together have over 1.5 billion installs in the Google Play Store, are affected by a vulnerability.

The vulnerability (CVE-2022-28799), rated as high, is located in Webkit and depended on the implementation of this component's JavaScript interfaces in the app. WebView allows apps to load and display web pages and can also provide bridging functionality with the API call addJavascriptInterface. This function allows JavaScript code in a web page to call specific Java methods of a specific class in the app.

Loading untrusted web content into WebView with application-level objects that can be accessed via JavaScript code makes the app vulnerable to JavaScript interface injection, which can lead to data leaks, data corruption, or in some cases, execution of arbitrary code.


This is exactly what occurred in the vulnerable version of the TikTok app. If a user clicked or tapped on a malicious link, they could be redirected to a website controlled by the attackers – no verification of the link destination took place. On the attackers' website, they could then have used a JavaScript interface injection to access authentication tokens of the respective user and then take over their TikTok account.

This step would have allowed attackers to access and modify users' TikTok profiles and sensitive information. For example, it could have published private videos, sent messages, and uploaded videos on behalf of users. After carefully reviewing the impact, a Microsoft security researcher notified TikTok of the issues in February 2022.

TikTok quickly responded and released a fix for the CVE-2022-28799 vulnerability. TikTok users are advised to ensure they are using the latest version of the app. Microsoft has published its findings as of August 31, 2022 on the Security Blog in the post Vulnerability in TikTok Android app could lead to one-click account hijacking.

Cookies helps to fund this blog: Cookie settings

This entry was posted in Android, Security and tagged , , . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *