Vulnerabilities may have allowed hackers to alter TikTok account passwords.
After spotting a pair of glitches that might have been chained to hijack accounts, a researcher won almost $4,000 from TikTok.
In late August, Muhammed Taskiran, a 20-year-old German-based researcher, told TikTok that a URL parameter on tiktok.com “reflected its value without being properly sanitized.”
This implemented a mirrored cross-site scripting (XSS) vulnerability that may have been related to a Taskiran found cross-site request forgery (CSRF) bug.
An endpoint that allowed the researcher to set a new password for accounts that had used third-party applications to sign up to the social media site was affected by the CSRF problem. By merely getting the intended user to click on a malicious connection, an attacker may have manipulated the vulnerabilities to alter the password of an account.
Taskiran explained in a report sent to TikTok through the HackerOne forum, “I combined both vulnerabilities by creating a simple JavaScript payload – triggering the CSRF – which I injected into the vulnerable URL parameter from earlier, to archive a one-click account takeover’.”
TikTok graded the problem as “high severity” and granted $3,860 for his results to the researcher. The organization partly revealed the vulnerability analysis, disclosing only little technical details.
In recent months, Taskiran has also reported two other bugs against TikTok, including one that won him just over $500.
For high-severity vulnerabilities, TikTok provides between $1,700 and $6,900, and between $6,900 and $14,800 for critical vulnerabilities. To date, the organization has paid out more than $80,000 for 85 vulnerability reports received to its bug bounty scheme recently launched.
Because of national security issues, the United States government has sought to block Tik Tok, but the Chinese corporation is not backing down and it has fought some legal battles already.
