Jump to content

TikTok fixes bugs allowing account takeover with one click

Recommended Posts

TikTok has addressed two vulnerabilities that could have allowed attackers to take over accounts with a single click when chained together for users who signed-up via third-party apps.


The social media platform owned by Beijing-based ByteDance is used for sharing short-form looping mobile videos of 3 to 60 seconds.


TikTok's Android app currently has over 1 billion installs according to official Google Play Store stats and has crossed the 2 billion installs mark on all mobile platforms in April 2020 based on Sensor Tower Store Intelligence estimates.


Found via fuzz testing

German bug bounty hunter Muhammed Taskiran discovered a reflected cross-site scripting (XSS) security bug — also known as a non-persistent XSS — in a TikTok URL parameter reflecting its value without proper sanitization.


Taskiran found the reflected XSS that could have also lead to data exfiltration while fuzz testing the company's www.tiktok.com and m.tiktok.com domains.


He also found a TikTok API endpoint vulnerable to cross-site request forgery (CSRF) attacks that made it possible to change the account passwords for users who signed-up using third-party apps.


"The endpoint enabled me to set a new password on accounts which had used third-party apps to sign-up," Taskiran said.


"I combined both vulnerabilities by crafting a simple JavaScript payload - triggering the CSRF - which I injected into the vulnerable URL parameter from earlier, to archive a 'one-click account takeover'."


Taskiran reported the account takeover attack chain to TikTok on August 26, 2020, with the company resolving the issues and awarding the bug hunter with a $3,860 bounty on September 18.


More account hijacking flaws fixed last year

TikTok also addressed a batch of security vulnerabilities in its infrastructure allowing potential attackers to hijack accounts to manipulate users' videos and steal their info.


The security issues were disclosed to ByteDance by Check Point researchers in late November 2019, with the company fixing the bugs within one month.


Attackers could have used TikTok's SMS system to exploit the vulnerabilities to upload unauthorized and delete videos, move the users' videos from private to public, and steal sensitive personal data.


"TikTok is committed to protecting user data," TikTok security engineer Luke Deshotels said at the time. "Like many organizations, we encourage responsible security researchers to privately disclose zero-day vulnerabilities to us."





Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    No registered users viewing this page.

  • Create New...