TikTok Patches Reflected XSS Bug, One-Click Account Takeover Exploit
TikTok has patched a reflected XSS security flaw and a bug leading to account takeover impacting the firm’s web domain.
While fuzzing, Muhammed Taskiran (milly) a 20 y/o hacker from Germany, discovered a URL parameter reflecting its value without being properly sanitized. Thus, he was able to achieve reflected XSS. In addition, He found an endpoint which was vulnerable to CSRF.
TikTok first received a report describing the vulnerabilities on August 26. By September 3, TikTok had triaged the security issues and assigned a severity score of 8.2. The bugs were patched on September 18. Taskiran was awarded a bug bounty reward of $3,860.