TikTok has patched a reflected XSS security flaw and a bug leading to account takeover impacting the firm’s web domain.
Reported via the bug bounty platform HackerOne by researcher Muhammed “milly” Taskiran, the first vulnerability relates to a URL parameter on the tiktok.com domain which was not properly sanitized.
While fuzzing the platform, the bug bounty researcher found that this issue could be exploited to achieve reflected cross-site scripting (XSS), potentially leading to the execution of malicious code in a user’s browser session.
In addition, Taskiran found an endpoint vulnerable to Cross-Site Request Forgery (CSRF), an attack in which threat actors can dupe users into submitting actions on their behalf to a web application as a trusted user.
CNET: What’s the best cheap VPN? We found 3 good options
Taskiran was able to create a simple JavaScript payload that combined both vulnerabilities. The script was able to trigger the CSRF issue, and then if injected into the vulnerable URL parameter, would lead to a one-click account takeover.
“The endpoint enabled me to set a new password on accounts which had used third-party apps to sign-up,” the bug bounty hunter said.
TechRepublic: It’s time for banks to rethink how they secure customer information
TikTok first received a report describing the vulnerabilities on August 26. By September 3, TikTok had triaged the security issues and assigned a severity score of 8.2. The bugs were patched on September 18.
Taskiran was awarded a bug bounty reward of $3,860.
ZDNet has reached out to TikTok and will update when we hear back.
Previous and related coverage
Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0
