TikTok has patched a reflected XSS security flaw and a bug leading to account takeover impacting the firm’s web domain. 

Reported via the bug bounty platform HackerOne by researcher Muhammed “milly” Taskiran, the first vulnerability relates to a URL parameter on the tiktok.com domain which was not properly sanitized.

While fuzzing, Muhammed Taskiran (milly) a 20 y/o hacker from Germany, discovered a URL parameter reflecting its value without being properly sanitized. Thus, he was able to achieve reflected XSS. In addition, He found an endpoint which was vulnerable to CSRF.

Buy Me A Coffee

The endpoint enabled me to set a new password on accounts which had used third-party apps to sign-up. I combined both vulnerabilities by crafting a simple JavaScript payload – triggering the CSRF – which I injected into the vulnerable URL parameter from earlier, to archive a “one click account takeover”.

Muhammed Taskiran

TikTok first received a report describing the vulnerabilities on August 26. By September 3, TikTok had triaged the security issues and assigned a severity score of 8.2. The bugs were patched on September 18. Taskiran was awarded a bug bounty reward of $3,860. 

Chinese Hackers Breach Over 20,000 FortiGate Systems Worldwide in Extensive Cyber Espionage Campaign