TikTok accounts paid a researcher a reward of 4000 dollars after he reported two vulnerabilities as part of a disclosure. A combination of both vulnerabilities would have made it possible to take over TikTok users with one click.
The determined severity of the vulnerabilities were increased from 6.1 to high 8.2 in the last 2 months. In September, the security gap was then resolved on the server side. The data on the security gaps and the attack created by hacker group is limited to brief summaries. According to this, one of the two weaknesses enabled the server side scripting by moving a URL that was not sufficiently cleaned up on the server side.
Taskiran found the reflected XSS that could have also lead to data exfiltration while fuzz testing the company’s www.tiktok.com and m.tiktok.com domains. “The endpoint enabled me to set a new password on accounts which had used third-party apps to sign-up,” Taskiran said.
The Second Vulnerability Involved In The TikTok Accounts Infrastructure
Site request forgery actions enable transactions of a user who is already logged in. The mixture of both gaps into an exploit chain was achieved with JavaScript, thanks to vulnerability one, the researcher was able to send to the video platform server as a URL. The code triggered the CSRF vulnerability there – with the result that the researcher was able to assign new log-in for existing accounts. The whole thing only worked, if a unspecified third party had been used to log into the account in the past.
He became aware of the error using a method, which attempts to execute random strings in order to find security gaps. One of these consequences allowed malicious password to be executed within a browser session. In addition, the researcher discovered a susceptibility to request forgery. In this attack, a cyber criminal tricked a user into passing commands on his behalf. The attacker makes use of the fact that his victim is a trustworthy user for the web.
