TikTok accounts paid a researcher a reward of 4000 dollars after he reported two vulnerabilities as part of a disclosure. A combination of both vulnerabilities would have made it possible to take over TikTok users with one click.
The determined severity of the vulnerabilities were increased from 6.1 to high 8.2 in the last 2 months. In September, the security gap was then resolved on the server side. The data on the security gaps and the attack created by hacker group is limited to brief summaries. According to this, one of the two weaknesses enabled the server side scripting by moving a URL that was not sufficiently cleaned up on the server side.
Taskiran found the reflected XSS that could have also lead to data exfiltration while fuzz testing the company’s www.tiktok.com and m.tiktok.com domains. “The endpoint enabled me to set a new password on accounts which had used third-party apps to sign-up,” Taskiran said.
The Second Vulnerability Involved In The TikTok Accounts Infrastructure
He became aware of the error using a method, which attempts to execute random strings in order to find security gaps. One of these consequences allowed malicious password to be executed within a browser session. In addition, the researcher discovered a susceptibility to request forgery. In this attack, a cyber criminal tricked a user into passing commands on his behalf. The attacker makes use of the fact that his victim is a trustworthy user for the web.