Researchers have disclosed four high-severity flaws in the Android version of TikTok that could have easily been exploited by a seemingly benign third-party Android app. If successful, an attacker could fully compromise the target’s TikTok account. Public disclosure of the vulnerabilities was Friday and all bugs have been patched in version 17.4.4 of the app.
The flaws are disclosed as Oracle partners with TikTok
Oversecured researchers said they found the arbitrary code execution flaws and one arbitrary file theft vulnerability in TikTok. Disclosure of the flaws come just as the owner of social-media platform have reportedly chosen Oracle as an American tech partner that could help keep the app running in the U.S.,on the heels of U.S. president Donald Trump threatening to ban the app over spying concerns.
It allow to access to users messages and videos
If exploited, the arbitrary code execution flaws could allow attackers to access victims private messages and videos within the app. They could also gain control over the app’s permissions giving them access to victims’ pictures and videos stored on the device, web browser downloads, audio and video record functions and contacts.
All these vulnerabilities could have been exploited by a hacker if a user had installed a malicious app onto their Android device. All the vulnerabilities have been removed. Users should update to the latest version on Google Play to enjoy the best experience.Oversecured Researcher
TikTok Android Flaws
Researchers scanned the app and found several vulnerabilities in the way that files are loaded into the app. All arbitrary code execution flaws were discovered in different Android components in the AndroidManifest.xml file, which is a manifest file for app projects that describes essential information about apps to the Android build tools, the Android operating system, and Google Play.
The Android components in question are: DetailActivity, NotificationBroadcastReceiver, and the IndependentProcessDownloadService AIDL (Android Interface Definition Language) interface. The issue with these components is that they lack certain security checks, allowing a third-party app or anyone to load malicious arbitrary files into them.
The initial vulnerability is that all of them were exposed (or unprotected by default Android permission model). That allowed third-party apps to reach them.Sergey Toshin – Founder of Oversecured
In order to exploit the flaws, an attacker would first need to convince a target to download an app (such as a calculator app, for instance). Once downloaded, the app can create a library file in the TikTok’s private directory and automatically load it.
The vulnerability could have been exploited by an app that was only run once and then, say, deleted. The library would have been written to the app’s private directory and could have been loaded by the app even after the phone was rebooted or the app restarted. All vulnerabilities relating to arbitrary code execution would have lead to the app and its users becoming thoroughly compromised.Oversecured Researchers
The three arbitrary code execution flaws were reported on Jan 27, 2020 and fixed between June and August, according to researchers. Researchers also found a flaw enabling arbitrary file theft in the activity com.ss.android.ugc.aweme.livewallpaper.ui.LiveWallPaperPreviewActivity.
This flaw required user interaction but led to access to arbitrary protected app files. An attacker could access private user in-app data such as history, private messages, or session token, leading to access to the user’s account.Researchers
This arbitrary file theft bug was reported on Feb. 16, 2020 to TikTok; versions 8.4.0 (September 12, 2018) to 15.2.10 (March 21, 2020) of the app are vulnerable.
As part of our ongoing efforts to build the safest and most secure platform in the industry, we constantly work with third parties to find and fix bugs. While the bugs in question would only pose a risk if a user had also downloaded a malicious application onto their Android device, we have fixed them. We appreciate the researcher reporting this issue to us so that we could fix it, and we encourage all of our users to download the latest version of the app.TikTok Spokesperson
Ongoing TikTok Security Woes
Over the past year TikTok has exploded in popularity, with over 500 million monthly active users globally but has also drawn controversy around its privacy and security policies. The flaws have since been fixed.
TikTok has also come under ongoing scrutiny for its privacy and security policies over the past few months. In June, a new privacy feature in Apple iOS 14 shed light on TikTok’s practice of reading iPhone users cut-and-paste data, even though the company said in March it would stop.
In August, researchers found that TikTok has been collecting unique identifiers from millions of Android devices without their users knowledge using a tactic previously prohibited by Google because it violated people’s privacy.
Earlier this year, in January, researchers found a vulnerability in TikTok’s platform that could allow attackers to remotely take control over parts of victims TikTok account, such as uploading or deleting videos and changing settings on videos to make hidden videos public.