TikTok has recently addressed a serious security vulnerability in its platform. Specifically, a cross site scripting flaw (XSS) affected the TikTok platform allowing account takeovers.
TikTok XSS Flaw
Reportedly, a researcher Muhammed Taskiran (with alias milly on HackerOne) discovered a severe XSS flaw affecting TikTok.
Specifically, the researcher observed two different security issues that, when exploited together, risked the users’ account security. Describing the origin of the vulnerability, the researcher stated in his bug report,
While fuzzing, I discovered a URL parameter reflecting its value without being properly sanitized. Thus, I was able to achieve reflected XSS. In addition, I found an endpoint which was vulnerable to CSRF.
Exploiting the two issues together could allow him to change the passwords of target accounts and even take over the account.
The endpoint enabled me to set a new password on accounts which had used third-party apps to sign-up. I combined both vulnerabilities by crafting a simple JavaScript payload – triggering the CSRF – which I injected into the vulnerable URL parameter from earlier, to archive a “one click account takeover”.
These vulnerabilities affected both “www.tiktok.com” and “m.tiktok.com” platforms.
TikTok Patched The Bug
The researcher reported the matter to TikTok via their HackerOne bug bounty program in August 2020. The flaw initially received a medium severity rating, which was then changed to a high-severity rating with a score of 8.2.
Eventually, TikTok developed and deployed the fix for the vulnerability in September. And now, the report has been publicly disclosed.
Besides deploying a fix, TikTok also awarded a $3,860 bounty to the researcher.
However, since no official disclosure of the vulnerability and the respective fix is available, the app version containing the fix isn’t clear. Therefore, users must ensure having the latest version of the application running on their devices.
In September, TikTok also addressed numerous vulnerabilities that could allow an attacker to steal data.