TikTok patches reflected XSS bug, one-click account takeover exploit

TikTok has patched a reflected XSS security flaw and a bug leading to account takeover impacting the firm’s web domain. 

Reported via the bug bounty platform HackerOne by researcher Muhammed “milly” Taskiran, the first vulnerability relates to a URL parameter on the tiktok.com domain which was not properly sanitized.

See also: What TikTok’s big deal means for cloud, e-commerce: TikTok Global created with Oracle, Walmart owning 20%

While fuzzing the platform, the bug bounty researcher found that this issue could be exploited to achieve reflected cross-site scripting (XSS), potentially leading to the execution of malicious code in a user’s browser session. 

In addition, Taskiran found an endpoint vulnerable to Cross-Site Request Forgery (CSRF), an attack in which threat actors can dupe users into submitting actions on their behalf to a web application as a trusted user.

CNET: What’s the best cheap VPN? We found 3 good options

Taskiran was able to create a simple JavaScript payload that combined both vulnerabilities. The script was able to trigger the CSRF issue, and then if injected into the vulnerable URL parameter, would lead to a one-click account takeover. 

“The endpoint enabled me to set a new password on accounts which had used third-party apps to sign-up,” the bug bounty hunter said. 

TechRepublic: It’s time for banks to rethink how they secure customer information

TikTok first received a report describing the vulnerabilities on August 26. By September 3, TikTok had triaged the security issues and assigned a severity score of 8.2. The bugs were patched on September 18. 

Taskiran was awarded a bug bounty reward of $3,860. 

ZDNet has reached out to TikTok and will update when we hear back. 

Previous and related coverage


Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0


READ MORE HERE