TikTok has patched a reflected XSS security flaw and a bug leading to account takeover impacting the firm’s web domain.
Reported via the bug bounty platform HackerOne by researcher Muhammed “milly” Taskiran, the first vulnerability relates to a URL parameter on the tiktok.com domain which was not properly sanitized.
While fuzzing, Muhammed Taskiran (milly) a 20 y/o hacker from Germany, discovered a URL parameter reflecting its value without being properly sanitized. Thus, he was able to achieve reflected XSS. In addition, He found an endpoint which was vulnerable to CSRF.
The endpoint enabled me to set a new password on accounts which had used third-party apps to sign-up. I combined both vulnerabilities by crafting a simple JavaScript payload – triggering the CSRF – which I injected into the vulnerable URL parameter from earlier, to archive a “one click account takeover”.
Muhammed Taskiran
TikTok first received a report describing the vulnerabilities on August 26. By September 3, TikTok had triaged the security issues and assigned a severity score of 8.2. The bugs were patched on September 18. Taskiran was awarded a bug bounty reward of $3,860.
