After exposing a set of vulnerabilities that could have been chained for a high-impact 1-click exploit, a researcher received over $11,000 from TikTok.
Sayed Abdelhafiz, an 18-year-old Egyptian researcher, revealed the details of several vulnerabilities he discovered in the TikTok app for Android between late last year and early 2021 in a blog post published on Medium last week.
Abdelhafiz discovered a number of cross-site scripting (XSS) flaws, as well as a problem with arbitrary component startup and a Zip Slip archive extraction flaw. By combining these bugs, an attacker could have remotely executed arbitrary code on the targeted user’s Android device simply by inducing them to click on a malicious connection.
It was enough for the victim to click on a link posted on a website or sent to their TikTok inbox, according to Abdelhafiz.
“Anything TikTok can do on your computer, the exploit can do,” the researcher said of what an attacker might have done with this exploit.
“The exploit will access the storage files if the victim has granted the TikTok application storage permission,” Abdelhafiz explained. “If bad actors take advantage of this flaw, they might combine it with an Android flaw to take control of the whole system, even if the TikTok app doesn’t have permission to do anything.”
TikTok responded quickly and rolled out a temporary patch within a week, according to Abdelhafiz, but the social media giant only allowed him to reveal details of his findings last week.
The researcher’s blog post includes proof-of-concept (PoC) code as well as information about how TikTok dealt with the flaws.
In October 2020, TikTok partnered with HackerOne to start a public bug bounty programme. According to the company’s HackerOne website, it has paid out nearly $130,000 to date, with top bounties ranging from $2,000 to $12,000.