TKTOK or its operator ByTedance has paid a researcher $ 3860 US dollar reward after it reported two vulnerabilities in the video portal as part of a Responsible Disclosure procedure, that is, under responsible predefined framework conditions. A combination of both vulnerabilities had the consideration of TKTOK accounts under certain conditions "with one click" mimic.
As the documentation of the process on the bug-bounty platform hackeron shows that the Responsible Disclosure process ran, the researcher has Muhammed Taskiran ("Milly") His report at the end of August to the Tiktok team. The determined severity of the vulnerability combination became the beginning of September from Medium (6.1) on high (8.2) raised. On September 18, the security problem was then fixed in server side. There was no need for action for users.
Use Exploit code as URL parameters
The information about the security swags and the "Milly" Congratulated attack combination with hackerons restrict themselves to a short summary . Accordingly, one of the two vulnerabilities so-called reflected, ie server-side cross-site scripting by transfer of a server side not sufficiently checked and adjusted URL parameters.
The second vulnerability concerned an endpoint in the TKTOK infrastructure, which was consistent for Cross-Site Request Forgery (CSRF). CSRF attacks allow transactions in the context of an already registered user.
The combination of both lights to an exploit chain accomplished "Milly" With JavaScript code, which he was first sent to the TikTOK server thanks to vulnerability one as URL parameters to the Tiktok server. The code triggered the CSRF vulnerability there – with the result that the researcher could give new passwords for existing accounts. The whole thing, however, only worked if a (not yet designated) third-party app had been used for logging in to the respective account in the past.
- Tiktok – These alternatives are available