Vulnerabilities in TikTok Allowed One-Click Accounts Hacking

Vulnerabilities in TikTok Accounts
Written by Emma Davis

TikTok developers have fixed two vulnerabilities that allowed hijacking accounts of users registered through third-party applications. The vulnerabilities were a mirrored XSS and company domain-related bug leading to full account bundling.

Cybersecurity researcher Muhammed Taskiran reported about the vulnerabilities through the company’s official bug bounty program on the HackerOne platform.

The first issue was with the URL parameter in the tiktok.com and m.tiktok.com domain that was not clearing properly.

Thus, it was potentially possible to execute malicious code within the user’s browser session.

While fuzzing the platform, the researcher discovered that this issue could be exploited to achieve reflected cross-site scripting (XSS), potentially leading to malicious code execution in the user’s browser session.

The expert also discovered that the TikTok API endpoint is vulnerable to CSRF attacks, in which attackers can trick users into sending actions on their behalf to a web application as a trusted user. Then the attacker can change passwords for accounts that have registered using third-party applications.

I pooled these vulnerabilities by creating a simple JavaScript payload (a provocative CSRF that I previously injected into the vulnerable URL parameter) that allowed one-click account hijacking.the expert writes.

Taskiran was able to create a simple JavaScript payload that combined both vulnerabilities. The script was able to trigger the CSRF issue, and then if injected into the vulnerable URL parameter, would lead to a one-click account takeover.

The endpoint enabled me to set a new password on accounts which had used third-party apps to sign-up.the bug bounty hunter said.

The researcher notified the TikTok developers of the issue at the end of August this year, and the company released patches for the discovered bugs at the end of September. The company also paid the researcher a bug bounty of $3,860.

Let me remind you that we wrote that a girl accidentally saw an advertisement for one of the applications on TikTok and was not too lazy to inform the specialists of the Czech initiative Be Safe Online, which introduces children to Internet safety. Therefore, child helped to detect malware in the App Store and Google Play, downloaded over 2.4 million times.

Sending
User Review
4.3 (23 votes)
Comments Rating 0 (0 reviews)

About the author

Emma Davis

I'm writer and content manager (a short time ago completed a bachelor degree in Marketing from the Gustavus Adolphus College). For now, I have a deep drive to study cyber security.

Leave a Reply

Sending

This site uses Akismet to reduce spam. Learn how your comment data is processed.