Description
The TikTok application before 23.7.3 for Android allows account takeover. A crafted URL (unvalidated deeplink) can force the com.zhiliaoapp.musically WebView to load an arbitrary website. This may allow an attacker to leverage an attached JavaScript interface for the takeover with one click.
References (3)
Core 3
Core References
Third Party Advisory x_refsource_misc
https://support.tiktok.com/en/safety-hc/reporting-security-vulnerabilities/reporting-the-security-vulnerabilities
Issue Tracking, Third Party Advisory x_refsource_misc
https://hackerone.com/reports/1500614
Third Party Advisory x_refsource_misc
https://github.com/Ch0pin/security-advisories/security/advisories/GHSA-v39p-88q5-5cvr
Scores
CVSS v3
8.8
EPSS
0.1553
EPSS Percentile
96.4%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Details
CWE
CWE-425
Status
published
Products (1)
tiktok/tiktok
< 23.7.3
Published
Jun 02, 2022
Tracked Since
Feb 18, 2026