Researchers have disclosed four high-severity flaws in the Android version of TikTok that could have easily been exploited by a seemingly benign third-party Android app. If successful, an attacker could fully compromise the target’s TikTok account. Public disclosure of the vulnerabilities was Friday and all bugs have been patched in version 17.4.4 of the app.
Oversecured researchers said they found the arbitrary code execution flaws and one arbitrary file theft vulnerability in TikTok. Disclosure of the flaws come just as the owner of social-media platform have reportedly chosen Oracle as an American tech partner that could help keep the app running in the U.S.,on the heels of U.S. president Donald Trump threatening to ban the app over spying concerns.
If exploited, the arbitrary code execution flaws could allow attackers to access victims’ private messages and videos within the app. They could also gain control over the app’s permissions – giving them access to victims’ pictures and videos stored on the device, web browser downloads, audio and video record functions and contacts.
“All these vulnerabilities could have been exploited by a hacker if a user had installed a malicious app onto their Android device,” according to researchers with Oversecured, who discovered the flaws, in a Friday post. “All the vulnerabilities have been removed. Users should update to the latest version on Google Play to enjoy the best experience.”
TikTok Android Flaws
Researchers scanned the app and found several vulnerabilities in the way that files are loaded into the app. All arbitrary code execution flaws were discovered in different Android components in the AndroidManifest.xml file, which is a manifest file for app projects that describes essential information about apps to the Android build tools, the Android operating system, and Google Play.
The Android components in question are: DetailActivity, NotificationBroadcastReceiver, and the IndependentProcessDownloadService AIDL (Android Interface Definition Language) interface. The issue with these components is that they lack certain security checks, allowing a third-party app or anyone to load malicious arbitrary files into them.
“The initial vulnerability is that all of them were ‘exposed’ (or unprotected by default Android permission model),” Sergey Toshin, founder of Oversecured, told Threatpost. “That allowed third-party apps to reach them.”
In order to exploit the flaws, an attacker would first need to convince a target to download an app (such as a calculator app, for instance). Once downloaded, the app can create a library file in the TikTok’s private directory and automatically load it.
“The vulnerability could have been exploited by an app that was only run once and then, say, deleted,” researchers explained. “The library would have been written to the app’s private directory and could have been loaded by the app even after the phone was rebooted or the app restarted. All vulnerabilities relating to arbitrary code execution would have lead to the app and its users becoming thoroughly compromised.”
The three arbitrary code execution flaws were reported on Jan 27, 2020 and fixed between June and August, according to researchers.
Researchers also found a flaw enabling arbitrary file theft in the activity com.ss.android.ugc.aweme.livewallpaper.ui.LiveWallPaperPreviewActivity.
“This flaw required user interaction but led to access to arbitrary protected app files,” according to researchers. “An attacker could access private user in-app data such as history, private messages, or session token, leading to access to the user’s account.”
This arbitrary file theft bug was reported on Feb. 16, 2020 to TikTok; versions 8.4.0 (September 12, 2018) to 15.2.10 (March 21, 2020) of the app are vulnerable.
Ongoing TikTok Security Woes
Over the past year TikTok has exploded in popularity, with over 500 million monthly active users globally – but has also drawn controversy around its privacy and security policies. The flaws have since been fixed.
TikTok has also come under ongoing scrutiny for its privacy and security policies over the past few months. In June, a new privacy feature in Apple iOS 14 shed light on TikTok’s practice of reading iPhone users’ cut-and-paste data, even though the company said in March it would stop.
In August, researchers found that TikTok has been collecting unique identifiers from millions of Android devices without their users’ knowledge using a tactic previously prohibited by Google because it violated people’s privacy.
Earlier this year, in January, researchers found a vulnerability in TikTok’s platform that could allow attackers to remotely take control over parts of victims’ TikTok account, such as uploading or deleting videos and changing settings on videos to make “hidden” videos public.
On Wed Sept. 16 @ 2 PM ET: Learn the secrets to running a successful Bug Bounty Program. Register today for this FREE Threatpost webinar “Five Essentials for Running a Successful Bug Bounty Program“. Hear from top Bug Bounty Program experts how to juggle public versus private programs and how to navigate the tricky terrain of managing Bug Hunters, disclosure policies and budgets. Join us Wednesday Sept. 16, 2-3 PM ET for this LIVE webinar.