Cyber Security

TikTok fixes bugs that allows account takeover with one click


TikTok has patched two vulnerabilities that could have let attackers take over accounts with a single click when chained together for users who signed-up via third-party apps.

The social media platform’s android app currently has more than 1 billion downloads according to official Google Play Store stats and has crossed the 2 billion installs mark on all mobile platforms in April 2020 based on Sensor Tower Store Intelligence estimates.

German bug bounty hunter Muhammed Taskiran found a reflected cross-site scripting (XSS) security bug also known as a non-persistent XSS — in a TikTok URL parameter reflecting its value without proper sanitization.

Taskiran found the reflected XSS that could have also led to data exfiltration while fuzz testing the company’s and domains.

He also found a TikTok API endpoint vulnerable to cross-site request forgery (CSRF) attacks that made it possible to change the account passwords for users who signed-up using third-party apps.

He said that the endpoint enabled him to set a new password on accounts which had used third-party apps to sign-up.

Taskiran reported the account takeover attack chain to TikTok on August 26, 2020, and the company resolved the issues and awarded him with a $3,860 bounty on September 18.

Image Credits : CNBC

Priyanka R
Cyber Security Enthusiast, Security Blogger, Technical Editor, Author at Cyber Safe News

    Spotify users hit with rash of account takeovers

    Previous article

    2FA bypass found in web hosting software cPanel

    Next article

    You may also like


    Leave a reply

    Your email address will not be published. Required fields are marked *