Tiktok is all the rage, and so are security holes. This is the case with a latest flaw detected by Microsoft's 365 Defender Research team in the social network's Android application. Downloaded over 1.5 billion times, this program is a prime playground for hackers.
To avoid tragedies, security researchers warned the parent company Byte Dance last February of the vulnerability, since identified as CVE-2022-28799 and corrected by TikTok.
It is therefore strongly recommended that users of this version check that they are running the most up-to-date version of this application.
|Users of the TikTok network are warmly invited to download the latest version of the app which closes a nice security hole / (credit: TikTok)|
Good practices to follow
By controlling one of the methods capable of making authenticated HTTP requests, a malicious actor could then have compromised a TikTok user account.
- Use the default browser to open URLs that do not belong to the application's approved list;
- Maintain approved list and track expiration dates of included domains. This can prevent attackers from hijacking WebView by claiming an expired domain on the certified list;
- Avoid using partial string comparison methods to compare and verify a URL with the approved list of trusted domains;
- Avoid adding stage or internal network domains to the trusted list as these domains could be spoofed by an attacker to hijack WebView.