TikTok: a vulnerability in Android would have given cybercriminals a free pass to steal accounts

The vulnerability has already been fixed REUTERS/Dado Ruvic/Illustration

microsoft recently identified a vulnerability in the applications of TikTok for Android that would allow attackers to access user datain this way they could steal information with which it would be possible to defraud more people on the internet.

Table of Contents

Toggle

However, the vulnerability has already been fixed since the company Bill Gates informed the Chinese social network about this fact in February, and according to the blog, the app set out to quickly develop a security seal to eliminate this bug.

But in addition, both technology companies reported that this vulnerability was not exploited by any cybercriminal, so user data is safe and it was only a possibility that someone stole people’s data.

Through this vulnerability, the criminals could have stolen the data of the users of the social network.  Photo: Franziska Gabbert/dpa
Through this vulnerability, the criminals could have stolen the data of the users of the social network. Photo: Franziska Gabbert/dpa

The report indicates that this vulnerability was present in both versions of TikTok, the one that is only available for the countries of East and Southeast Asia, and the social network that the rest of the world knows.

In case this error named with the code “CVE-2022-28799″, an attacker had identified it to use it in his favorit would have evaded the application’s deep link verification in order to enter and take the data of other users.

But this vulnerability could not only allow the capture of data from other people who browse the social network, a hacker could also have accessed internal web pages by loading a URL into a component called WebView.

The vulnerability was only present on Android TikTok phones. (photo: Ámbito)

This is because according to Microsoft, when WebView is linked with JavaScript, cybercriminals could have accessed the data of the users of the social network through 70 different ways.

In the blog of the American company it is also reported that the vulnerability would have even allowed the user’s authentication systems to be intercepted through the address of a controlled server with which the information cookies would be traced.

microsoft to identify unwanted access allowed by the vulnerability, they sent a link with malicious content to a previously created and prepared account on TikTok, When entering this link, the security codes used to verify the user’s account were intercepted.

The bug was fixed as soon as Microsoft reported it. (photo: ifep.com/Scyther)

Although the problem has already been resolved, the company reported that if this vulnerability had been discovered by an attacker, The personal data of the users would have been put at risk just by sending a malicious link under the “phishing” modality.

What is Phishing

It is a form of internet fraud that consists of sending a link or file infected with some malware that can enter the computer or device systems in order to steal sensitive information, accounts created in social networks, services can also intervene directly. e-mail and cloud storage.

These files are usually sent by cybercriminals to the emails of potential victims, posing as a legitimate company that needs to contact the user, they can take the identity of state institutions, banking entities or other types of companies.

Although this form of theft began to be used through emails, now it is very common to see fake accounts on social networks looking for users to scam, On LinkedIn, for example, they write with the excuse of offering work or professional services.

It is important to be careful with suspicious messages that arrive in inboxes. (photo: 20Minutes)

With the stolen data, cybercriminals can extort money from victims in exchange for returning the information or use it to impersonate identities and thus continue defrauding more people.

:

Exit mobile version