TKTOK or its operator ByTedance has paid a researcher $ 3860 US dollar reward after it reported two vulnerabilities in the video portal as part of a Responsible Disclosure procedure, that is, under responsible predefined framework conditions. A combination of both vulnerabilities had the consideration of TKTOK accounts under certain conditions "with one click" mimic.
As the documentation of the process on the bug-bounty platform hackeron shows that the Responsible Disclosure process ran, the researcher has Muhammed Taskiran ("Milly") His report at the end of August to the Tiktok team. The determined severity of the vulnerability combination became the beginning of September from Medium (6.1) on high (8.2) raised. On September 18, the security problem was then fixed in server side. There was no need for action for users.
Use Exploit code as URL parameters
The information about the security swags and the "Milly" Congratulated attack combination with hackerons restrict themselves to a short summary . Accordingly, one of the two vulnerabilities so-called reflected, ie server-side cross-site scripting by transfer of a server side not sufficiently checked and adjusted URL parameters.
The second vulnerability concerned an endpoint in the TKTOK infrastructure, which was consistent for Cross-Site Request Forgery (CSRF). CSRF attacks allow transactions in the context of an already registered user.
- Tiktok – These alternatives are available