CVE-2022-28799

Name of the Vulnerable Software and Affected Versions TikTok application before 23.7.3 for Android

Description The issue allows account takeover through a crafted URL that can force the com.zhiliaoapp.musically WebView to load an arbitrary website, potentially leveraging an attached JavaScript interface for the takeover with one click. This vulnerability is related to the Android System WebView mechanism, which allows loading web content within other applications. It is estimated that over 1.5 billion installations of two versions of the TikTok application were affected before the issue was fixed. The vulnerability could have allowed attackers to hijack users' accounts, potentially affecting billions of users.

Recommendations For versions prior to 23.7.3, update to version 23.7.3 or later to resolve the issue. As a temporary workaround, consider avoiding links from untrusted sources and regularly updating the application from official sources. Restricting access to the vulnerable Android System WebView component may also help minimize the risk of exploitation until a patch is applied.