Microsoft disclosed the flaw in the Android app’s deep link verification process, which has since been fixed.
, a trusted source for technology news, tech policy analysis, reviews, and more. Ars is owned by WIRED's parent company, Condé Nast., which are Android-specific hyperlinks for accessing individual components within a mobile app. Deep links must be declared in an app’s manifest for use outside of the app—so, for example, someone who clicks on a TikTok link in a browser has the content automatically opened in the TikTok app.
An app can also cryptographically declare the validity of a URL domain. TikTok on Android, for instance, declares the domain m.tiktok.com. Normally, the TikTok app will allow content from tiktok.com to be loaded into its WebView component but forbid WebView from loading content from other domains. “The vulnerability allowed the app’s deep link verification to be bypassed,” the researchers wrote. “Attackers could force the app to load an arbitrary URL to the app’s WebView, allowing the URL to then access the WebView’s attached JavaScript bridges and grant functionality to attackers.”
The researchers went on to create a proof-of-concept exploit that did just that. It involved sending a targeted TikTok user a malicious link that, when clicked, obtained the authentication tokens that TikTok servers require for users to prove ownership of their account. The link also changed the targeted user’s profile bio to display the text "!! SECURITY BREACH !!"
“Once the attacker’s specially crafted malicious link is clicked by the targeted TikTok user, the attacker’s server, https://www.attacker[.]com/poc, is granted full access to the JavaScript bridge and can invoke any exposed functionality,” the researchers wrote. “The attacker’s server returns an HTML page containing JavaScript code to send video upload tokens back to the attacker as well as change the user’s profile biography.
Brasil Últimas Notícias, Brasil Manchetes
Similar News:Você também pode ler notícias semelhantes a esta que coletamos de outras fontes de notícias.
After long journey, former Dodgers prospect makes MLB debut with Oakland A’sCody Thomas, a 2016 Los Angeles Dodgers draft pick, picked up his first big league hit Thursday as the Oakland A’s faced the Washington Nationals
Consulte Mais informação »
Nationals’ Meneses delivers gut-wrenching loss to Oakland A’sMLB: Washington Nationals score four runs in the bottom of the 10th inning off Norge Ruiz to hand Oakland A’s a 7-5 loss
Consulte Mais informação »
This $20 kitchen gadget went viral on TikTok, and it's mesmerizingThere are so many great Amazon kitchen gadgets, but there's one in particular that went viral on TikTok. Check it out for under $20.
Consulte Mais informação »
How to Put Together a Maximalist Outfit Without Going OverboardWhoever said less is more has obviously never heard of the cluttercore trend that's currently sweeping TikTok. What initially began as an interior-design
Consulte Mais informação »
14-year-old girl shot and killed while filming TikTok videoTwo minors and an adult have been charged after Aaliyah Salazar, 14, was shot and killed while recording a TikTok video insider her grandfather's home in Colorado.
Consulte Mais informação »