Vulnerability In TikTok Enabled Remote Code Execution


By combining multiple vulnerabilities in the Android version of video app TikTok, it was possible for an attacker to execute arbitrary code on the device when users opened a link. TikTok has now fixed the various security holes.


The four different bugs in total were found by security researcher Sayed Abdelhafiz , who has now published an extensive analysis . TikTok faced two cross-site scripting (XSS) vulnerabilities that made it possible to run JavaScript within the app. A third bug, which could be invoked via the XSS vulnerabilities, allowed arbitrary parts to be executed within TikTok's code.


This included an 'activity' with which an attacker could have downloaded a zip file with which various 'native libraries' could be overwritten by a malicious library. For example, an attacker could have executed his code on the device. Abdelhafiz warned TikTok, after which the vulnerable XSS code was removed, as well as the activity that allowed the download of malicious code.


Notice: It's Universal XSS because that javascript code is fired if the link contains something like: m.tiktok.com/falcon/.

Previous Post Next Post