TikTok has patched two vulnerabilities that could have let attackers take over accounts with a single click when chained together for users who signed-up via third-party apps.
The social media platform’s android app currently has more than 1 billion downloads according to official Google Play Store stats and has crossed the 2 billion installs mark on all mobile platforms in April 2020 based on Sensor Tower Store Intelligence estimates.
German bug bounty hunter Muhammed Taskiran found a reflected cross-site scripting (XSS) security bug also known as a non-persistent XSS — in a TikTok URL parameter reflecting its value without proper sanitization.
Taskiran found the reflected XSS that could have also led to data exfiltration while fuzz testing the company’s www.tiktok.com and m.tiktok.com domains.
He also found a TikTok API endpoint vulnerable to cross-site request forgery (CSRF) attacks that made it possible to change the account passwords for users who signed-up using third-party apps.
He said that the endpoint enabled him to set a new password on accounts which had used third-party apps to sign-up.
Taskiran reported the account takeover attack chain to TikTok on August 26, 2020, and the company resolved the issues and awarded him with a $3,860 bounty on September 18.
Image Credits : CNBC