TikTok has addressed two vulnerabilities that could have allowed attackers to take over accounts with a single click when chained together for users who signed-up via third-party apps.
The social media platform owned by Beijing-based ByteDance is used for sharing short-form looping mobile videos of 3 to 60 seconds.
TikTok’s Android app currently has over 1 billion installs according to official Google Play Store stats and has crossed the 2 billion installs mark on all mobile platforms in April 2020 based on Sensor Tower Store Intelligence estimates.
Found via fuzz testing
German bug bounty hunter Muhammed Taskiran discovered a reflected cross-site scripting (XSS) security bug — also known as a non-persistent XSS — in a TikTok URL parameter reflecting its value without proper sanitization.
Taskiran found the reflected XSS that could have also lead to data exfiltration while fuzz testing the company’s www.tiktok.com and m.tiktok.com domains.
He also found a TikTok API endpoint vulnerable to cross-site request forgery (CSRF) attacks that made it possible to change the account passwords for users who signed-up using third-party apps.
“The endpoint enabled me to set a new password on accounts which had used third-party apps to sign-up,” Taskiran said.
“I combined both vulnerabilities by crafting a simple JavaScript payload – triggering the CSRF – which I injected into the vulnerable URL parameter from earlier, to archive a ‘one-click account takeover’.”
Taskiran reported the account takeover attack chain to TikTok on August 26, 2020, with the company resolving the issues and awarding the bug hunter with a $3,860 bounty on September 18.
More account hijacking flaws fixed last year
TikTok also addressed a batch of security vulnerabilities in its infrastructure allowing potential attackers to hijack accounts to manipulate users’ videos and steal their info.
The security issues were disclosed to ByteDance by Check Point researchers in late November 2019, with the company fixing the bugs within one month.
Attackers could have used TikTok’s SMS system to exploit the vulnerabilities to upload unauthorized and delete videos, move the users’ videos from private to public, and steal sensitive personal data.
“TikTok is committed to protecting user data,” TikTok security engineer Luke Deshotels said at the time. “Like many organizations, we encourage responsible security researchers to privately disclose zero-day vulnerabilities to us.”
Leave a Reply