A ‘high severity’ TikTok vulnerability allowed one-click account hijacking

A vulnerability in the TikTok app for Android could have let attackers take over any account that clicked on a malicious link, potentially affecting hundreds of millions of users of the platform.

Details of the one-click exploit were revealed today in a blog post from researchers on Microsoft’s 365 Defender Research Team. The vulnerability was disclosed to TikTok by Microsoft, and has since been patched.

The bug and its resulting attack, labelled a “high severity vulnerability,” could have been used to hijack the account of any TikTok user on Android without their knowledge, once they clicked on a specially crafted link. After the link was clicked, the attacker would have access to all primary functions of the account, including the ability to upload and post videos, send messages to other users, and view private videos stored in the account.

The potential impact was huge, as it affected all global variants of the Android TikTok app, which has a total of more than 1.5 billion downloads on the Google Play Store. However, there’s no evidence it was exploited by bad actors,” said TikTok spokesperson Maureen Shanahan. “Researchers involved with the discovery and disclosure praised TikTok for a quick response.”

Microsoft confirmed that TikTok responded promptly to the report. “We gave them information about the vulnerability and collaborated to help fix this issue” Tanmay Ganacharya, partner director for security research at Microsoft Defender for Endpoint, told The Verge. “TikTok responded quickly, and we commend the the efficient and professional resolution from the security team.”

According to details published in the blog post, the vulnerability affected the deep link functionality of the Android app. This deep link handling tells the operating system to let certain apps process links in a specific way, such as opening the Twitter app to follow a user after clicking an HTML “Follow this account” button embedded in a webpage.

This link handling also includes a verification process that should restrict the actions performed when an application loads a given link. But the researchers found a way to bypass this verification process and execute a number of potentially weaponizable functions within the app.

One of these functions let them retrieve an authentication token tied to a certain user account, effectively granting account access without the need to enter a password. In a proof-of-concept attack, the researchers crafted a malicious link that, when clicked, changed a TikTok account’s bio to read “SECURITY BREACH.”

A screenshot of a compromised account.

Fortunately, the vulnerability was detected, and Microsoft has used the opportunity to stress the importance of collaboration and coordination between technology platforms and vendors.

“As threats across platforms continue to grow in numbers and sophistication, vulnerability disclosures, coordinated response, and other forms of threat intelligence sharing are needed to help secure users’ computing experience, regardless of the platform or device in use,” wrote Microsoft’s Dimitrios Valsamaras in the blog post. “We will continue to work with the larger security community to share research and intelligence about threats in the effort to build better protection for all.”

Although the TikTok app is not known to have suffered any major hacks so far, some critics have branded it a security risk for other reasons.

Recently, concerns have been raised over the extent to which US users’ data can be accessed by China-based engineers at ByteDance, TikTok’s parent company. In July, Senate Intelligence Committee leaders called on FTC chair Lina Khan to investigate TikTok after reports brought into question claims that US users’ data was walled off from the Chinese branch of the company.

Correction and update: This story has been updated with a statement from TikTok. A previously version of this article said that TikTok failed to respond by publication time. In fact, The Verge received their comment but failed to include it. We regret the error.

Repost: Original Source and Author Link


Hackers are hijacking Wi-Fi routers with zuoRAT malware

As if you didn’t already have enough to worry about, a new report finds hackers are targeting home Wi-Fi routers to gain access to all your connected devices.

The report comes from Black Lotus Lab, a security division of Lumen Technologies. The report details several observed real-world attacks on small home/home office (SOHO) routers since 2020 when millions of people began working from home at the start of the COVID 19 pandemic.

According to Black Lotus Lab, the attackers use Remote Access Trojans (RATs) to hijack a home’s router. The trojans use a new malware strain called zuoRAT to gain access and then deploy inside the router. Once deployed, the RATs allow attackers to upload and download files to all the connected devices on the home or office network.

“The rapid shift to remote work in spring of 2020 presented a fresh opportunity for threat actors to subvert traditional defense-in-depth protections by targeting the weakest points of the new network perimeter — small office/home office (SOHO) routers.” Lumen Technologies said in a blog post. “Actors can leverage SOHO router access to maintain a low-detection presence on the target network.”

ZuoRAT is resistant to attempts to sandbox it for further study. It attempts to contact several public servers when it first deploys. If it doesn’t receive any response, it assumes it has been sandboxed and deletes itself.

The malware is incredibly sophisticated, and Lumen Technologies believes it may originate from a nation-state actor, not rogue hackers. This means a government with a lot of resources could be targeting SOHO routers in North America and Europe.

ZuoRAT gains remote access to SOHO routers. It is constantly scanning networks for vulnerable routers and attacks if one is located.

Once the trojans are in, there’s no limit to the damage they can do. So far, they’ve been content with stealing data — personal identifiable information (PII), financial information, and normally secure business or corporate information. However, the ability is there for threat actors to deploy other malware once they’ve gained access.

Blue Lotus Lab was able to trace one of the zuoRAT viruses to servers in China. Other than that, little is known about the origins of the malware.

Most common household routers seem to be vulnerable, including Cisco, Netgear, and ASUS.  The best way to protect against a zuoRAT infection is to regularly reboot your home router. The virus cannot survive a reboot, which wipes the router and restores it to its factory settings.

Editors’ Choice

Repost: Original Source and Author Link


FCC considers new rules to stop scammers from hijacking your cell phone

The Federal Communications Commission (FCC) on Thursday said it’s looking into tightening rules around cell phone service, in an effort to rein in SIM swapping scams and port-out fraud, two ways fraudsters can access a person’s cell phone account and phone number for nefarious purposes.

The agency says in a statement it has received numerous complaints “from consumers who have suffered significant distress, inconvenience, and financial harm” due to SIM swapping and port-out fraud. And, the FCC said, recent data breaches have exposed customer information that could make it easier for bad actors to carry out these kinds of attacks successfully.

SIM swapping is when someone hijacks your cell phone number so they can intercept two-factor authentication codes — the ones you use to verify a log-in or account access — to gain access to your account information. Typically, a bad actor is able to convince their victim’s cell phone carrier to transfer service to a different device, which the victim doesn’t have access to, but the bad actor does.

Port-out fraud happens when the fraudster poses as their victim and opens an account with a different cell phone carrier than the victim’s and has the victim’s phone number transferred — or “ported out” — to the new account with the different carrier.

In most instances, if the bad actor has access to a piece of personal identifying information, they can pull off either (or both) of these scams before the victim realizes what has happened.

Most security experts recommend using a third-party authenticator app to provide 2FA rather than receiving a text message with a log-in code, which is a less secure method.

The FCC has now issued a formal notice of proposed rulemaking and said in a press release it wants to amend the current rules to require carriers to adopt more secure methods of authenticating a customer’s identity before they redirect service or a phone number to a new device or carrier. The agency is also proposing requiring carriers to immediately notify a customer whenever a SIM change or port request is made on their account.

Repost: Original Source and Author Link