Getty Images/iStockphoto

Microsoft discloses 'high-severity' TikTok vulnerability

The flaw in TikTok's Android app is the latest security concern for the social media company, which was criticized last month for having keylogging functionality in its iOS app.

Microsoft disclosed a verification bypass vulnerability in TikTok's Android application, raising concerns about the security and functionality of the popular social media app.

In a blog post Wednesday, Microsoft detailed the TikTok vulnerability, tracked as CVE-2022-28799, which could enable threat actors to hijack accounts and publicize private videos, send messages and upload videos under the users' accounts. While TikTok fixed the flaw and Microsoft confirmed it did not observe in-the-wild exploitation, the vulnerability heightened concerns over access to private data as well as the in-app browser functionality.

Microsoft said the TikTok vulnerability affected both versions of the Android app -- the company has one version for East and Southeast Asia, and one for all other countries -- which have more than 1 billion downloads through the Google Play store.

In an email to TechTarget Editorial, TikTok said it had "discovered and quickly fixed a vulnerability in some older versions of the Android application."

Researchers outlined a proof-of-concept attack and additional risks in the Microsoft blog post. To exploit the flaw, an attacker would send a phishing link to the targeted user, which if clicked would enable access to sensitive information. However, Microsoft emphasized that exploitation would have required several issues to be chained together, including exposed JavaScript methods. Microsoft uncovered 70 JavaScript methods actors could have leveraged after connecting to the app.

This discovery, coupled with previous research, led Microsoft to issue a warning on the significant risks associated with JavaScript interfaces. If the interface becomes compromised, attackers can "execute code using the application's ID and privileges," according to the blog.

The TikTok vulnerability was found in the way the Android app handles deep links, which Microsoft described as "a special hyperlink that links to a specific component within a mobile app and consists of a scheme and (usually) a host part."

However, the flaw allowed the app's deep link verification to be bypassed, according to Microsoft, which enabled researchers to sneak a malicious link into WebView, an Android component that runs TikTok's in-app browser.

"Attackers could force the app to load an arbitrary URL to the app's WebView, allowing the URL to then access the WebView's attached JavaScript bridges and grant functionality to attackers," Microsoft wrote.

TikTok keylogging concerns

In-app browsers were the focus of another report last month by security researcher Felix Krause, who created a tool to verify what apps do in WebView. The report, which highlighted the risks of mobile apps using in-app browsers, examined around 25 of the most popular iOS apps and concluded that TikTok uses a technique equivalent to keylogging in its in-app browser.

"TikTok iOS subscribes to every keystroke (text inputs) happening on third party websites rendered inside the TikTok app," Krause wrote in the report. "This can include passwords, credit card information and other sensitive user data."

In addition, he found that TikTok's iOS app uses a JavaScript function to examine what the user clicks. While Krause wrote that he can't be sure what TikTok uses the subscription for, he claimed that TikTok's response in a Forbes article confirmed it has a keylogging capability.

In a statement to TechTarget Editorial, TikTok said the report's conclusions are incorrect and misleading.

"The researcher specifically says the JavaScript code does not mean our app is doing anything malicious, and admits they have no way to know what kind of data our in-app browser collects. Contrary to what the report claims, we do not collect keystroke or text inputs through this code, which is solely used for debugging, troubleshooting and performance monitoring," a TikTok spokesperson said in an email.

However, infosec experts agree that there is a lack of legitimate reasons for TikTok to use the keylogging functionality for troubleshooting. For one, Chester Wisniewski, principal research scientist at Sophos, said troubleshooting is usually provided by the operating system and not the app. For example, Apple would be responsible for any iPhone problems and Google for Android because they use Safari and Chrome, respectively.

"Other than invading my privacy, I can't think of why you'd ever keystroke me. Even for troubleshooting," he said.

Nick DeLena, partner at consulting firm DGC who specializes in cybersecurity and privacy advisory, agreed that keylogging is generally seen as an invasion of privacy -- and when an app or service is found to be using it, they're usually pressured into an alternate means of troubleshooting. DeLena added that the risk with TikTok's app is "particularly acute" because TikTok parent company ByteDance is partially owned by the Chinese government.

When it comes to free apps such as TikTok, John Bambenek, principal threat hunter at Netenrich, said the entire ecosystem is designed to vacuum up any data it can about its users.

"I generally operate under the assumption that if I'm not paying for something, it's probably engaging in as many questionable privacy practices as possible to get as much information as it can from me," he said in an email to TechTarget Editorial.

Whether TikTok is using the functionality solely for troubleshooting purposes or not, it can still pose security risks for enterprises. For example, Tim Mackey, principal security strategist at Synopsys, explained that if the app is being used in a work environment, there is every potential that some sensitive information from the business could be included in the keylogging data packet.

Though many organizations don't allow certain applications or services to be downloaded on work devices, it can be harder to control with the expanding remote workforce. The move has contributed to a thinner divide between work and personal lives.

Wisniewski emphasized that people are using their own phones or tablets now, and might be unaware of certain threats.

"It only takes a minute to be confused about whether you're currently in the company web browser, or you might be in the in-app TikTok browser by accident and start doing company stuff, and that's a huge risk to data leakage," he said.

Dig Deeper on Application and platform security