Fr4Via

**Name of the Vulnerable Software and Affected Versions** TikTok versions prior to 34.5.5 **Description** The issue allows the takeover of Lynxview JavaScript interfaces via deeplink traversal in the application's exposed WebView. On Android 12 and later, this is only exploitable by third-party applications. **Recommendations** For versions prior to 34.5.5, update to version 34.5.5 or later to resolve the issue. As a temporary workaround, consider restricting access to the exposed WebView to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** com.basecamp.bc3 versions prior to 4.2.1 **Description** Directory traversal can occur in the com.basecamp.bc3 application, which may allow an attacker to write arbitrary files in the application's private directory. Additionally, by using a malicious intent, the attacker may redirect the server's responses, containing sensitive information, to third-party applications by using a custom-crafted deeplink scheme. **Recommendations** For versions prior to 4.2.1, update to version 4.2.1 or later to resolve the issue. As a temporary workaround, consider restricting the use of custom-crafted deeplink schemes to minimize the risk of exploitation. Avoid using malicious intents that could redirect server responses to third-party applications until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** TikTok application before 23.7.3 for Android **Description** The issue allows account takeover through a crafted URL that can force the com.zhiliaoapp.musically WebView to load an arbitrary website, potentially leveraging an attached JavaScript interface for the takeover with one click. This vulnerability is related to the Android System WebView mechanism, which allows loading web content within other applications. It is estimated that over 1.5 billion installations of two versions of the TikTok application were affected before the issue was fixed. The vulnerability could have allowed attackers to hijack users' accounts, potentially affecting billions of users. **Recommendations** For versions prior to 23.7.3, update to version 23.7.3 or later to resolve the issue. As a temporary workaround, consider avoiding links from untrusted sources and regularly updating the application from official sources. Restricting access to the vulnerable Android System WebView component may also help minimize the risk of exploitation until a patch is applied.