TikTok developers have fixed two vulnerabilities that allowed hijacking accounts of users registered through third-party applications. The vulnerabilities were a mirrored XSS and company domain-related bug leading to full account bundling.Cybersecurity researcher Muhammed Taskiran reported about the vulnerabilities through the company’s official bug bounty program on the HackerOne platform.
The first issue was with the URL parameter in the tiktok.com and m.tiktok.com domain that was not clearing properly.
Thus, it was potentially possible to execute malicious code within the user’s browser session.
While fuzzing the platform, the researcher discovered that this issue could be exploited to achieve reflected cross-site scripting (XSS), potentially leading to malicious code execution in the user’s browser session.
The expert also discovered that the TikTok API endpoint is vulnerable to CSRF attacks, in which attackers can trick users into sending actions on their behalf to a web application as a trusted user. Then the attacker can change passwords for accounts that have registered using third-party applications.
The researcher notified the TikTok developers of the issue at the end of August this year, and the company released patches for the discovered bugs at the end of September. The company also paid the researcher a bug bounty of $3,860.
Let me remind you that we wrote that a girl accidentally saw an advertisement for one of the applications on TikTok and was not too lazy to inform the specialists of the Czech initiative Be Safe Online, which introduces children to Internet safety. Therefore, child helped to detect malware in the App Store and Google Play, downloaded over 2.4 million times.
User Review( votes)