The vulnerability was discovered in February and assigned the identifier CVE-2022-28799. Meanwhile, TikTok was solving the problem.

what is known

The vulnerability was in the way the app controls what it calls “deep links” – Android-specific hyperlinks to access individual components of a mobile app. For example, deep links are used to automatically open content in the app when someone clicks a TikTok link in a browser. TikTok allows content from tiktok.com to be loaded into the WebView component, but prevents WebView from loading content from other domains.

The vulnerability allowed the application to bypass deep link verification. Hackers can cause an application to load a random URL into the application’s WebView; this allows the URL WebView to access bound JavaScript hyperlinks and provide functionality to attackers.
– write researchers.

• Microsoft experts were able to create a special program (exploitation) to exploit this bug.
• This involved sending a malicious link to the targeted TikTok user, which, when clicked, would get the authentication tokens needed by TikTok servers to verify ownership of users’ accounts.
• After that, they had full access to the JavaScript bridge and could use any function.
• For example, the program will automatically display the tester’s bio as “!!SECURITY VIOLATION!!” changed to.

Microsoft said there is no evidence that the vulnerability has been actively exploited by hackers.