TikTok & the dangers of JavaScript bridges

Microsoft 365 Defender Research Team:

Microsoft discovered a high-severity vulnerability in the TikTok Android application, which could have allowed attackers to compromise users’ accounts with a single click. The vulnerability, which would have required several issues to be chained together to exploit, has been fixed and we did not locate any evidence of in-the-wild exploitation.

The issue only appears to have impacted TikTok’s Android application, but it highlights the dangers of bridging JavaScript to Java code within Android applications using the WebView class.

In this particular instance, Microsoft was able to use TikTok’s deep link mechanism to load an arbitrary URL that in turn could be used to gain full access to the functionality implemented in the JavaScript bridge. Ultimately, this allowed Microsoft researchers to perform authenticated HTTP requests, through which a malicious actor could have compromised a TikTok account.